Spectre And Meltdown: Intel Allegedly Warned Chinese Clients, But Not U.S. Government, Of Security Flaws
A new report suggests that tech giant Intel allegedly warned select companies, including some of its Chinese customers, about the Spectre and Meltdown chip flaws, but chose not to divulge any information to the U.S. government. Separately, the chipmaker is also being accused of notifying original equipment manufacturers (OEMs) about the issues on the same day its chief executive earned a profit by selling company shares.
On Saturday, the Wall Street Journal cited unnamed representatives from the companies involved and “people familiar with the matter,” writing that Intel notified Chinese tech companies, including Lenovo and Alibaba, about Spectre and Meltdown. Lenovo reportedly issued a statement on January 3 to warn customers about the flaws, noting that it had worked closely with “industry processor and operating partners” to mitigate potential damage ahead of that date.
Likewise, a person with knowledge of Alibaba’s inner workings told the Wall Street Journal that the company was also given a heads-up by Intel, though a spokeswoman for Alibaba’s cloud division called the claims “speculative and baseless,” choosing not to divulge any information on when the company was notified of the security flaws.
Meanwhile, the report also cited an official at the U.S. Department of Homeland Security, who said that staffers were only made aware of the exploits after reading news reports on the issues on January 3. Likewise, White House cybersecurity coordinator Rob Joyce tweeted on January 13 that the National Security Agency was similarly uninformed at the time the news originally broke.
Google’s Project Zero security unit had first spotted the Spectre and Meltdown flaws in June 2017, with a proof-of-concept for the discovery created as of June 22, according to IT Wire. Meltdown potentially allows hackers to tap into personal data by removing the barrier preventing an end-user’s applications from accessing the “sensitive” regions of their operating system, while Spectre speculatively fools affected programs into leaking otherwise inaccessible parts of their memory. The latter exploit is reportedly found in certain AMD and ARM cores, and not just in Intel processors.
Originally, Intel’s plan was to publicly confirm the existence of the flaws on January 9, but when British tech publication The Register wrote an exclusive report about the two exploits, that reportedly forced the chipmaker to “[speed] up its timetable,” the Wall Street Journal noted.
Commenting on the possibility that the local government was aware of Intel’s communications with its Chinese partners, former National Security Agency employee Jake Williams told the Wall Street Journal that he believes it is a “near certainty” that this was the case, as Chinese authorities are required to keep track of such sensitive conversations.
While there is no evidence that the Chinese government had misused the information Intel allegedly gave about Spectre and Meltdown, IT Wire’s report centered on a related accusation, which cited French publication LeMagIt’s claim that Intel was warning original equipment manufacturers (OEMs) about the flaws as far back as November 29 via internal memo, on the same day CEO Brian Krzanich “netted a healthy profit” by selling stock and options. According to CNBC’s report on January 4, the transaction reduced his total shares to 250,000, or the “bare minimum” an Intel CEO is required to own, though an Intel spokeswoman denied that Krzanich’s decision to sell the shares was related to the discovery of the security flaws.
