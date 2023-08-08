Hackers could exploit a flaw in many Intel processors to steal password and encryption keys from the computers running them, a security researcher revealed on Tuesday.

Optimization features in these processors have been accidentally revealing information to software running on the computers, giving hackers a way to access data that should be off-limits to them, according to Google senior research scientist Daniel Moghimi, who disclosed the vulnerability and dubbed the resulting attacks “Downfall.”

“A malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages,” Moghimi wrote. “Similarly, in cloud computing environments, a malicious customer could exploit the Downfall vulnerability to steal data and credentials from other customers who share the same cloud computer.”

Intel has released a fix for the vulnerability, which does not affect its most recent line of processors but does affect many others dating back almost a decade. The company warned that its fix could slow down some computers’ performance and offered customers the option to disable it.

The disclosure of the Downfall vulnerability illustrates the difficulty of preventing hackers from abusing the functionality of processors, which are among the most critical components of a computer. It comes five and a half years after a team of researchers revealed the “Spectre” and “Meltdown” flaws, serious vulnerabilities in Intel processors that similarly thwarted features meant to isolate software components from each other.

Intel said that the Downfall flaw did not pose a significant risk to its customers. “We believe trying to exploit this outside of a controlled lab environment would be a complex undertaking,” Jerry Bryant, the company’s senior director for incident response and security communications, said in a blog post. But Moghimi disputed that claim, saying it would be “highly practical” to develop an attack that exploited it. On his website, he said that it took him only two weeks to develop one such attack.

One of the major concerns about Downfall attacks, Moghimi wrote, is that they are difficult to detect. “Downfall execution looks mostly like benign applications,” he said. “Off-the-shelf antivirus software cannot detect this attack.”

Moghimi disclosed the vulnerability to Intel in August 2022. The long delay between private and public disclosures illustrates the complexity of studying and fixing vulnerabilities in computer processors.

Other companies’ processors could be vulnerable to Downfall attacks too. In a research paper describing his findings, Moghimi said that Intel had shared his analysis with “other [processor] and software vendors so that those organizations can assess the impact on their products.”