Photo Illustration: 731; Photographer: Justin Fantl

Intel Has a Big Problem. It Needs to Act Like It

Meltdown and Spectre have opened up new hacking threats, sparked class actions, and enraged longtime partners.

Even without the aid of Hunter S. Thompson’s favorite drugs, CES, held in Las Vegas each January, has always been a little surreal. This year’s bacchanal was crammed with drones, self-driving cars, and internet-connected toilet seats—and the opening keynote speech was stranger than any of that. On Jan. 8, 5,000 ticket holders made their way through a sea of hired models and ultra-high-definition TVs to the Monte Carlo Resort and Casino on the Strip, where they squeezed into a theater to watch a two-hour psychedelic variety show. The opening act, a Blue Man Group-style quartet called Algorithm ’n Blues, pantomimed a performance of Human by the Killers, backed up by a digital bassist on a giant LCD screen, flying drones that played keys on a giant piano, and a trio of acrobats, dressed like extras from Tron, who performed a trampoline routine. And that’s not the weird part.

After the music came Brian Krzanich, chief executive of Intel Corp., doing about the best Willy Wonka impression one can do in a button-down blue dress shirt and jeans. “I’d love nothing more than to simply put my phone away and take this evening to truly celebrate innovation with you,” the 57-year-old CES regular said, bragging about his company’s advances in virtual reality and new partnerships with autonomous-vehicle technology companies. Former NFL quarterback Tony Romo appeared onstage to talk up Intel’s work in 3D video, and Krzanich showed off a full-size pilotless helicopter before capping the evening by suggesting they head outside to see a light show over the famous Bellagio fountains involving hundreds of drones—all, of course, either made by Intel or running on Intel chips.

CEO Krzanich holds Intel’s latest drone, the Shooting Star Mini, as he speaks at CES in Las Vegas on Jan. 8.  
Photographer: Rick Wilking/Reuters

The whole thing was a dizzying reminder that although Intel isn’t the household name it was during the PC boom of the 1990s, it can still put on a show. The company makes about 90 percent of the world’s computer processors and 99 percent of the server chips in the data centers that effectively run the internet. While the world’s largest chipmaker has struggled to expand beyond those core businesses, it reported $60 billion in 2017 revenue at a gross margin of 63 percent, an unimaginable profit for most factory owners.

What made the Intel keynote so surreal was that Krzanich barely mentioned the potentially catastrophic news that was on everyone’s mind. The previous week, the Register, a British technology journal, reported that independent researchers had discovered flaws in Intel’s chip designs that hackers could exploit to steal data thought to be the most secure. These vulnerabilities, known as Meltdown and Spectre, are a very, very big deal, allowing hackers to peek at the part of the computer where companies and individuals store passwords, encryption keys, and most anything sensitive. The flaws are unprecedented. Every PC, every smartphone, and every server in the world is exposed. The episode has already led to lawsuits and calls for investigations, and undermines more than a decade of Intel’s technical wizardry.

For the past few years, major cloud providers have sought ways to reduce their dependence on Intel’s server chip monopoly, quietly developing their own models or funding nascent competitors. And just days before Krzanich took the stage in Vegas, Intel gave those companies—and everybody else—a massive incentive to accelerate those efforts.

Even the researchers who discovered Meltdown and Spectre initially didn’t believe what they were seeing. “That would have been such a major f--- -up by Intel that it can’t be possible,” researcher Michael Schwarz recalls thinking. Spectre affects all modern chips, including those made by competitors, but the easier hack, Meltdown, applies almost exclusively to chips made by Intel.

The flaws can be patched, but those patches could slow the Intel chips by as much as 30 percent, the equivalent of turning a state-of-the-art server chip into one from 2013. “There is no playbook for something like this,” says Charles Carmakal, a vice president at Mandiant, the arm of security company FireEye that consults on high-profile hacks. “I don’t think I’ve ever seen a vulnerability that worked across so many different operating systems and devices.”

If the slowdown turns out to be anywhere near as bad as some think it could be, it’ll amount to a major price increase for data center owners, who could in turn demand that Intel cover the cost. (So far, the big cloud providers have said their customers won’t be affected. Their plans, and the costs, remain unclear.) And because Intel is so reliant on chip revenue, there’d be no easy way to make up those losses. Intel’s stock is down 5 percent since the Register report; shares of Advanced Micro Devices Inc., its only real competitor for PC and server chips, are up 11 percent.

During the six months Intel was quietly working to try to fix the vulnerabilities, Krzanich sold $24 million in company shares. Intel says the stock sale was part of a plan that had been in place before anyone there knew about Meltdown or Spectre, but the day after Krzanich’s CES speech, two U.S. senators sent letters to the Securities and Exchange Commission and the Department of Justice demanding investigations. Consumer and shareholder lawyers have filed a dozen class actions against Intel, and there are few signs the pressure will let up on Krzanich anytime soon. In a research note, an analyst for Sanford C. Bernstein & Co. called the stock sale “indefensible.”

Intel, which declined to make Krzanich available for comment, has treated Meltdown and Spectre as something close to a nonstory. In its initial statement, issued on Jan. 3, the company disputed that Spectre and Meltdown represented “flaws,” describing them as merely a new field of “research” into an industrywide phenomenon. It said any slowdowns would be minimal, close to zero for most people, and that the episode would have no impact on Intel’s business. At CES, after Algorithm ’n Blues but before Romo, Krzanich briefly addressed the not-flaw by thanking Intel’s peers for “coming together” to “address the recent security findings.”

Intel’s clients, including the biggest companies in the technology industry, have mostly kept quiet. They have no alternative supplier. Privately, some are seething. The day after Krzanich’s big show, Microsoft Corp. published a blog post disputing Intel’s earlier assertion that users wouldn’t notice the slowdowns. Navin Shenoy, an Intel executive vice president, said in a statement that customer security is “a critical priority” for the company. In private conversations with clients, Intel’s top managers haven’t always acted that way, treating a disaster that threatens the security of every computer user and the profits of a whole category of businesses as no big deal, according to an executive at one of Intel’s large customers. The potential fallout isn’t an academic concern, the executive says, “it’s f---ing scary.”

Part of what makes Meltdown and Spectre so terrifying is that they upend more than a decade of conventional wisdom about information security. Starting in the mid-2000s, Intel added a layer of security within its chips and began encouraging developers to store users’ most sensitive information in the walled-off area rather than in regular software memory. Only about two years ago did researchers first notice, and begin trying to crack, a feature called speculative execution that Intel uses to speed up its chips. It essentially allows a chip to access any data it guesses a user is about to ask for, even if it’s inside the secure area, before checking whether the user is allowed to access it. This is a big reason computers and smartphones have kept getting faster year after year. It also left a gaping security hole.

The feature’s vulnerabilities were discussed at conferences and in academic papers but were considered merely theoretical until last spring, when Jann Horn, a 22-year-old researcher in Google’s elite cybersecurity division, succeeded in reading private data from the secure area. Horn informed Intel in June, beating out three other research teams that discovered the flaw later in 2017. Together, they began working with Intel to patch the flaws; until the Register report, they’d planned to disclose their findings on Jan. 9. As Google pointed out in a blog post about the discovery, the security flaws could allow a cloud user to covertly snoop on another customer’s machine. Anyone with an Amazon Web Services account could, in theory, steal another AWS user’s login data and access their files, though that would often require physical access to the target machine.

In interviews, Intel executives dispute suggestions that the company’s focus on chip speeds led it to overlook obvious vulnerabilities. Intel says it’s already provided software fixes for 90 percent of its chips and that this is nothing out of the ordinary. “We have an ongoing process to make our products better,” says Stephen Smith, general manager of the company’s data center group. “We just happen to be doing it under a spotlight now.” At CES, Krzanich told the crowd that “as of now” Intel had “not received any information that these exploits have been used to obtain customer data.”

This sounds more comforting than it probably should. Security analysts say that if four groups of researchers independently figured out the exploits, then some number of governments with sophisticated cyberweapons programs (China, Russia, the U.S.) likely did, too. An intelligence agency armed with Spectre or Meltdown would likely aim big, according to Mandiant’s Carmakal. “A government wouldn’t use this to break into Target,” he says. “They’d use it to get into the Department of Defense.”

So far, Meltdown and Spectre probably pose less risk to the average person than, say, a simple phishing attack in which a hacker tries to send you to a malicious website. They won’t lead to the kind of widespread panic that resulted from the 2017 hack of Equifax’s customer database.

But that could change. Hackers who hadn’t tried to break into Intel’s hardware, believing there was no way it would leave a side door open, are now seeking ways in. “You’re going to be looking for other things like this,” says Jeff Pollard, an analyst with the research firm Forrester. “This is a new kind of attack. This is going to linger.”

And long-term fixes won’t be easy. While coders can pull a few all-nighters to close holes in software, a chip takes years to design, test, and mass-produce. Each model can cost tens of millions of dollars to develop. For now, computer owners and data center operators will have to make an unsavory choice: Use Intel’s software patches and accept slower speeds, or skip the patches and remain at risk. (Intel has already said patches are causing some machines to reboot more often than usual.) Future designs will include hard-wired fixes that speed things up, but the first versions of those won’t appear until later this year, the company says.

All of this puts Intel in a tough spot. The company is a nonfactor in the smartphone-chips business dominated by Samsung, Qualcomm, and ARM, and rival Nvidia has taken a commanding lead in the fast-growing market for graphics chips used in artificial intelligence applications. Now, Meltdown and Spectre threaten the core of Intel’s business. The company has no competitor in server chips at the moment, but this episode could change that. Microsoft and Google have publicly praised Qualcomm Inc.’s first server chip, which went on sale in November, and Apple, Google, Microsoft, Amazon, and Facebook all have internal divisions working on chip designs.

Intel’s more immediate threat is political. It’ll almost certainly have to withstand criticism from lawmakers at a time when governments around the world are increasingly skeptical of tech companies with de facto monopolies. “This hyper-dependence on one chipmaker, indeed one technology, although billed as a way to lower prices, has had the effect also of greatly increasing society’s exposure not only to hackers but also to ‘shock events’ that disrupt entire systems,” the Open Markets Institute, a Washington think tank that advocates for controls on market concentration, wrote in its weekly newsletter on Jan. 11. For now, Intel’s big problem is Krzanich’s stock sales, but if it becomes clear that customers have been harmed by hacking or higher costs, regulators will likely seek recourse through consumer protection suits, antitrust investigations, or both.

Intel has faced this kind of public pressure before. In 1994 the company was heavily criticized for trying to ignore evidence that its Pentium chips were generating errors for certain obscure calculations. The crisis caused IBM to announce that it would no longer ship machines that used the flawed chips. Intel’s meticulously constructed brand, Intel Inside, which had served as a sort of Good Housekeeping Seal for computer buyers, suddenly looked questionable. As part of Intel’s extensive mea culpa, then-CEO Andy Grove offered to replace all the buggy chips and took an inventory writedown of $475 million, about half its annual R&D budget at the time.

Grove’s lesson, as he recounted in his business-advice book Only the Paranoid Survive, was that Intel had been caught out. Even a quarter-century into its existence, the massive company still saw itself as a scrappy tech startup. With its size and influence, he acknowledged, came new responsibilities. “The trouble was,” Grove wrote, “not only didn’t we realize that the rules had changed, but what was worse, we didn’t know what rules we now had to abide by.”

Intel has been the top chipmaker for the past 25 years, but Meltdown and Spectre could turn out to be much worse than the Pentium bug. If the company wants to maintain its position, it’ll need real humility, not cheap theatrics.
With Dina Bass, Mark Bergen, Alex Webb, and Dune Lawrence