Security vulnerability creates Spectre over Intel, AMD, Apple, and others

2018 started off with a bang for chip vendors like Intel and AMD, as a new and potentially industry-shifting security vulnerability at the silicon level was announced. Along with it came concerns about consumer privacy, financial security, and even potential performance impacts on computers and servers that were patched to alleviate the vulnerability.

Now that the initial wave of overly excited stories has come and gone, and level-headed experts have discussed the security and performance implications, the picture is clearer on how this issue will affect the major chip and processing players.

Intel is the biggest fish

Intel has a target on its back and is of the most concern when it comes to both Spectre and Meltdown security attacks. Though the company has been very clear to call this a “security vulnerability” rather than a “bug” in order to avoid culpability in the already-mounting legal disputes, and CEO Brian Krzanich was under fire for a stock sell-off prior to the public announcement of Spectre and Meltdown, many of the initial concerns appear to be calmed.

SpectreMeltdownFeature-640x353.jpg

There should be no need for a product recall nor for a widespread product replacement program. Not only was this not a feasible step due to the size and scale of Intel’s market share, the performance implications at this point appear minimal enough to consumers to make it unnecessary. The software patches and updates from Microsoft, Google, Apple, and others have secured the vulnerability to a large degree.

But Intel is still the biggest fish in the pond and will receive the most attention going forward. Customers in the enterprise space, where Intel holds a 95%+ share, are going to be more concerned about the performance impacts. Workloads that are heavy on network and storage interaction are seeing the most reduction in performance due to the patches. Database and web services that are simply handlers for networking and storage requests could see drops in the area of 20%.

It seems likely that players like Amazon, Google, Microsoft, and even HP, Dell, and more might come calling to Intel to offer rebates or discounts on future purchases. If 10-20% of Amazon AWS computing capability across its many datacenters is suddenly missing, it will need to ramp up new system deployment to avoid impact to its customers. This additional cost may be where Intel is most vulnerable to culpability.

AMD still not out of the woods

While the first day of worry around the security vulnerability improved AMD’s stock and dropped Intel’s, AMD has not avoided the pitfall surrounding it. AMD continues to push its lowered exposure to this problem, particularly being immune to Meltdown due to different architecture design. For the second variant of Spectre, AMD claimed “near-zero” risk to its customers. For many in the industry, putting that claim forward was seen as risky, as a challenge to security professionals to find a provable exploit like the ones that exist for Intel processors.

Last week AMD announced that it was releasing microcode updates for its platforms, a way to update the internal programming of a processor, to address the Spectre class security vulnerabilities. (Intel had already started this process previously.) These updates allow software vendors like Microsoft and the Linux community to manually address the problem and take the “near-zero” risk claim down an “effective zero” risk.

The company took a hit in the media for this apparent regression in its stance on AMD processors susceptibility to the security vulnerabilities. AMD is steadfast that it has not adjusted its original claims and instead was giving partners the ability to provide the highest possible levels of assurance to customers worried about the security risks at play. It’s the right move for AMD to make though it resulted in potential fallout from the change in messaging.

Keeping things at Arm’s reach

Arm Holdings has arguably the highest quantity of affected chips in the market, though it has the benefit of being more obscure in the eyes of the public. As the leading provider of processor architectures and chips to phones, tablets, and many other devices, it is the licensing partners that will bear most of the financial and public perception burden.

Arm has been the most transparent of all the major processor designers since the release of the Spectre and Meltdown information, posting publicly on its website with details of which processor segments and specific models are affected, and which are not. There is available information for application and operating system developers to integrate patches and fixes. This gives partners and highly technical consumers higher confidence in the strategy that Arm is rolling out to address security.

Because Arm’s chip designs are at the heart of products from companies like Qualcomm and Apple, this is an incredibly important effort to make. Arm is unlikely to feel any affect in terms of sales or financials as there are no reasonable alternatives to the product or services that it offers to those major customers.

Arm processors are at the heart of most smart-devices as well, including watches, networking hardware, thermostats, and more. But these chip designs are fundamentally different (in-order versus out-of-order for those interested) and are not vulnerable to Spectre or Meltdown.

Apple skates on by

Though Apple is at risk both on the notebook and desktop markets by using Intel processors, and on its iPhone and iPad product line via processors that use Arm architectures, it has been proactive in pushing out software updates to patch for security. Because Apple controls the entirety of the software and hardware stack, and it has the highest percentage of consumers that update operating systems regularly, confidence is high in Apple’s product line.

I see no areas of risk where Apple would take a financial or public perception hit due to Spectre and Meltdown.

Other players of note

There are many other companies that need to be watched as we progress through 2018. Google has the responsibility of the Android operating system, the most widely used in the smartphone market. Most of the weight will fall to Android partners to disseminate the patches in system updates. Samsung, HTC, LG, Huawei, and others will need to show customer install bases that they value security and get updates to devices in a much quicker cadence that we are used to seeing occur in the Android ecosystem. The winner here could see an increase in trust with buyers and gain long-term value because of it.

Google, Amazon, and Microsoft all need worry about their cloud-based virtualized service markets and the potential for performance impacts that the patches for Spectre and Meltdown may cause. All could find that a sudden drop in available computing horsepower will force them to purchase new machines to make up the difference, requiring additional investment to maintain the same service reliability.