WHAT IS THE ISSUE?
This morning, several news outlets reported the existence of a security bug that potentially impacts Intel processers produced in the past decade. This story is developing and you can read more about it here and here. Presently, there is still a limited amount of information available and Intel has been extremely secretive about the bug. The purpose of this post is to analyze the potential implications of this vulnerability as it applies to the broader digital token economy.
Although hardware security is typically harder to hack than software, we expect that many black hat organizations will attempt to exploit this bug. For some time, Linux kernel developers have tried to address this vulnerability with a patch described as a “major overhaul” of the Linux kernel. It is already available for download. Over the next week, many large cloud-services providers, such as Microsoft Azure and Amazon Web Services, will undergo maintenance to effectively implement these patches. Until then, their Intel-based systems (and customers) are open to potential exploits. The Microsoft and Apple operating systems have yet to issue patches.
IMPLICATIONS AND RISKS
In the context of the digital token economy, it is still difficult to gauge the full implications of the exploit at this point. Generally, centralized infrastructure providers, such as exchanges, custodians, and payment processers, rely on Intel processers running Linux, and the architecture of the system fueling their operations heavily emphasizes security over performance. To them, the reduction in performance is not necessarily an operational liability, and we expect they will install the patches as soon as they become available.
Meanwhile, digital token users are part of the group most vulnerable to the bug, especially those storing their private keys locally on a personal computer. Users tend to be slower when it comes to system updates, and given the potential damage that a kernel vulnerability could inflict, we expect more hacks to occur not only within the digital token industry, but potentially in every computer that uses an Intel chip. Since this is a hardware flaw, it cannot be addressed through microcode. Rather, it requires the operating system itself to be changed to resolve the issue. Neither Microsoft nor Apple has issued an official statement regarding how each will implement a patch, and the implications on the performance of its computers that feature Intel’s x86-64 hardware are to be determined. Two-factor authentication applications, such as Google Authenticator and Authy, may be affected as well, depending on how key pairs are stored by service providers.
The mining process does not necessarily require strong security. Rather, the focus is on efficiency and performance optimization. Additionally, Intel hardware is not predominantly used in the mining industry, which instead relies on custom built integrated circuits designed to to compute specific functions. However, the performance slowdown associated with many KPTI patches can most certainly affect mining pools that rely on the collective computational power of many individual miners.
Additionally, this bug could create new malware that secretly mines digital tokens without the user’s knowledge. Most of these malwares to date have been embedded in websites, but this vulnerability might enable cryptojacking to be performed locally and further increase the popularity of this type of malware.
EMPHASIS ON HSMS
A kernel vulnerability may grant attackers easier access to all files stored in a machine, making it easier to implement a malware that can log all keys pressed. This further emphasizes the need for broader adoption of Hardware Secure Modules, such as the Ledger Nano S, to store and use private keys. Popular HSM devices sign transactions outside of the computer and control the interactions between the computer and the HSM, making kernel exploits more difficult to perform.
We will continue to monitor this situation and analyze the implications of this bug in the context of digital tokens. For direct updates, please subscribe to our free newsletter.