We have become accustomed to the fact that we periodically know new data regarding the Intel processor vulnerabilities. When one of these appears, many are those who cry out to heaven and take the opportunity to attack the company. Not just because of the vulnerability, but with the apparent loss of performance from the corresponding mitigations. The reality is that these vulnerabilities are irrelevant.
I have proposed to explain to you the reason why I believe that these vulnerabilities, for ordinary mortals, are irrelevant. And there are more risks surfing the net than any of the vulnerabilities detected in the last two years. Our security and privacy are even indirectly compromised.
- Made in Spain
- Can be used in microwave and dishwasher
- Double protection box for shipping
Are vulnerabilities in Intel processors easy to exploit?
To date, none of the vulnerabilities detected is easy to exploit, two elements are required: technical knowledge and physical access to the machine. This reduces the field of action and, most importantly, leaves the average user out of that risk. And I don't think we go around with our computer and leave it to the first person to pass.
The only one that could be remotely exploited is the last known, LVI, and even so, the researchers already said it was very difficult to exploit. For this reason, none of them pose a risk to average users. Another thing is the companies, which could be compromised, but the risk is very limited.
On a technical level, these vulnerabilities are no joke, of course, but they are not meant to panic either. It is also not a reason to turn off our system, remove the motherboard and processor and change it to one from AMD. Everyone who buys what they want does not follow this line, simply indicating that we are not running a serious risk.
Surfing the internet is more dangerous than any vulnerability
Simply browsing the internet has far more potential risks than any Intel vulnerability. Accessing disreputable web pages, downloading web pages with pop-up windows, or using the same password on multiple sites are some of the more critical risks than Specter, Meltdown, and all other vulnerabilities combined.
We must understand that using our password to access more than one website is a risk. It is not uncommon for massive user data accesses with theft of access credentials to be reported. If we use the same password on two web pages and the database of one of them is compromised, we are in trouble. This means that the attacker can access the second website and steal data without us noticing.
But the biggest risk to our security comes from corporate security malpractice. It is not uncommon for a database that has not been properly secured to be discovered from time to time. Many or part of user databases are exposed on the network without the slightest security. This is not a risk generated by us, it is generated by a third party, more blatant than any vulnerability.
The physical insecurity that we generate
I am going to explore two things that we take as normal, that we do regularly, and that are a risk.
A few months ago there was a wave of robberies of soccer players while they were playing soccer matches. The robbers knew all the data of their homes because they expose them in video and photo on social networks. The attacker knows when he is not at home because he has a game or has to go to training and they entered to rob his houses.
When we travel we like to upload photos and let everyone see where we are and how much fun we had. In our profile there are sure photos of our house, where there is a window and other buildings or areas can be seen. With the shadows and looking at the environment you can know the orientation of the house and find where we live. So a criminal could break into us when he knows we are not home.
Even if we think nothing is wrong, this is a great exhibition of our privacy and security. But they are actions that we have internalized and of which we do not think about the security implications.
There is no privacy today
If we talk about privacy, the smartphone or perhaps social networks will come as the first element. But they are not the only two factors that eliminate or minimize our privacy when browsing. Surely if we ask someone on the street (not now, when the alarm state ends) that it is a cookie, they will not know how to answer or they will tell us that a cookie. Cookies are the paradigm of the lack of privacy, more than the GPS of the smartphone or social networks.
What data does a cookie collect? How long is a cookie collecting information? Why are cookies used? And a lot of questions difficult to answer and that even among specialists, there is no single answer. But we all accept them without reading the fine print of them, just like the social networks we use.
Sure, then scandals like Facebook and Cambridge Analityca appear and we put our hands to our heads. A hypocritical reaction, because all social networks do the same and we know it very well. If we don't know, it is because we are not interested in knowing.
The cloud, a storage solution
How many of you have files, photos or videos (or both) on Google Drive, One Drive, Dropbox and the like? Well basically everyone. Users usually upload photos from our smartphone to Google Photos so as not to lose them. Many of us use Drive for work or class, even companies use it to share documents between workers.
But are these data ours? Not really. Even if we erase this data, there is no guarantee that all content will be removed and there will not be a copy. All voice commands from Amazon Alexa or Apple Siri are stored indefinitely. The photos that we upload to social networks, even if we delete them, are saved indefinitely. It also happens with everything we upload to Drive, Dropbox and other companies.
What software do you have installed?
Today we can use Windows 10 at no cost, we can install it without activating it, leaving a watermark. For 10-20 euros we can buy a license for Windows 10, saving a lot of money, since the licenses sold by Microsoft are very expensive. But, many prefer to activate Windows using third-party tools that do not know the number of security holes they leave.
Avast is another example of an unprecedented security hole. The free antivirus par excellence is a brutal security hole that steals our data. Surely those who have it installed get the pop-up message that our IP is exposed. It indicates other data, such as files that do not contribute anything, etc., data that have been stolen from us for years without saying anything.
But what cries out to heaven the most and indicates how idiotic we are, installing non-certified third-party applications. Does anyone remember WhatsApp Gold? This unofficial application was installed by many and was a fake copy of the application, nowadays from Facebook. The app was a brutal security hole.
Unfortunately, we could give many more examples, but I think it is quite clear.
The vulnerabilities of Intel processors are very important, I do not doubt that for a moment. But I consider that it is being truly hypocritical with said vulnerabilities. I'm not saying that Intel is not being held accountable and I'm not saying we should laugh at these vulnerabilities, but I am saying that they are less dangerous than other security problems that have been around for a long time.
But we must not fool ourselves, there are much more serious risks to security and privacy that are not taken into account. And it is precisely these risks that we should attend to before worrying about other elements. We must also be very clear that Intel vulnerabilities are difficult to exploit, very difficult.
And above all and to close this, require Intel to physically correct these vulnerabilities in future chips.