How does the man who co-discovered the Spectre security flaw think it should be fixed?
On Wednesday, independent security researcher Paul Kocher weighed in and warned that software updates and even Intel's chip redesign won't be enough to fully patch the problem.
"Ultimately, we need to have different processors for I think safety and performance," he said during a talk at the RSA security conference. "The processor that's right for playing video games is not the processor that's right for approving wire transfers."
That may sound like an unconventional solution, but Spectre has been no easy vulnerability to fix. In the wrong hands, it could let a bad actor steal sensitive data from any affected machine, including PCs, and more importantly, cloud servers that can host information from a myriad of companies.
For months now, vendors including Intel and Microsoft have been responding to the threat by rolling out software patches. But researchers like Kocher have warned that Spectre will haunt the tech industry for years to come.
A big reason why is that Spectre deals with a performance-boosting feature called "speculative execution" that's found in most modern computer processors. Any attempt to fix the flaw may improve security, but will come at the cost of a chip's performance, Kocher said.
"Speculative execution is one of the gooses that's been laying golden eggs in terms of processor performance," he said. "If you dial that back, it's going to be hard to keep providing performance gains that customers want."
He estimates to be fully protected from Spectre, vendors would have to essentially stop the speculative execution, which could cut down a machine's performance between 25 to 50 percent, or potentially more.
Nevertheless, the tech industry has been trying to patch the problem without impacting their products. But according to Kocher, the solutions available now are mere "Band-Aids" that can't stop all the theoretical attacks that could exploit Spectre. Even Intel's own upcoming chip redesign to address the vulnerability will only target one variant of the flaw, but not the other.
The danger of all this could create a false sense of security for customers. "So you think you're secure when you're not," Kocher said. "You shouldn't just say I'm only going to protect you a little bit and not even tell you what I've missed."
But that all said, the vulnerability is a bigger worry for cloud server providers than consumers. Kocher points to how hackers already have an arsenal of malware they can use to infect PCs and smartphones. In addition, Spectre is no easy flaw to exploit.
But during his talk, Kocher also offered a longer-term solution to the vulnerability; he envisions vendors offering two classes of processors: slow ones that are fully protected from the flaw, and fast ones that aren't. Both processors could even be fitted on a single chip, and alternate between different computing tasks.
Time will tell how Intel and other chip vendors respond to Spectre in the years to come. But in the meantime, Kocher still encourages users to install the available patches for the security flaw, saying: "This kind of vulnerability is going to be with us a long time."