Intel may be in hot water following revelations that it disclosed information about the dangerous Meltdown and Spectre flaws to certain Chinese customers before notifying the US government.
The Wall Street Journal, citing unnamed sources “familiar with the matter and some of the companies involved,” on Sunday reported that Intel warned “a small group of customers, including Chinese technology companies” about the chip flaws before going public with the information. The US government was not among those who received an early warning.
Intel’s move isn’t sitting well with US security experts. They worry that the information might have been provided to the Chinese government, which could have exploited the bugs to gather intelligence about the US.
One security researcher said the Chinese government almost certainly found out about those conversations since authorities in China “routinely monitor all such communications,” the Journal reported. There is no evidence, however, the information was indeed misused.
Chinese companies that received early warnings included computer maker Lenovo and e-commerce giant Alibaba, the Journal reported. Microsoft, Google, Amazon, and British chip maker ARM were also notified before news of the bugs became public on Jan. 3.
In a statement, an Intel spokesperson said the company “followed best practices of responsible and coordinated disclosure.”
“Standard and well-established practice on initial disclosure is to work with industry participants to develop solutions and deploy fixes ahead of publication,” the spokesperson said. “In this case news of the exploit was reported ahead of the industry coalition’s intended public disclosure date at which point Intel immediately engaged the US government and others.”
The Meltdown and Spectre vulnerabilities, which relate to how a CPU handles tasks that it thinks a PC will need to perform in the future, could be exploited to reap sensitive information from these commands-in-waiting. That information could include passwords stored in a password manager or browser, photos, emails, instant messages, or other sensitive documents.
US lawmakers have already expressed concern over Intel’s response to the chips flaws. Last week, leaders of the House Energy and Commerce Committee sent letters to the CEOs Intel, Apple, and Microsoft raising questions over the companies’ decision to keep details of the vulnerabilities secret from the rest of the tech industry for months.
Fixing the bugs has been a whole other issue. Microsoft over the weekend released an out-of-band update, which disables Intel’s buggy Meltdown and Spectre protections. That emergency fix comes after Intel last week started advising users to stop deploying the current versions of its patches, as they “may introduce higher than expected reboots and other unpredictable system behavior.”
The first Intel chips with built-in protections against the Meltdown and Spectre threats will start arriving later this year, the company said during a recent earnings call.