New Intel Chip Flaw ‘Downfall’ Exposes Sensitive Data

Intel has revealed plans to release fixes for a significant processor vulnerability termed ‘Downfall,’ which affects multiple models of company’s processing chips dating back to 2015, Wired is reporting.

While the vulnerability also affects some Intel processors currently available on the market, its latest chip generations remain unaffected.

The ‘Downfall’ poses a threat to data security by potentially allowing attackers to breach data isolation measures, leading to the exposure of valuable and sensitive information. This could encompass financial data, emails, messages, passwords, and encryption keys.

Google researcher Daniel Moghimi, who uncovered the ‘Downfall’ flaw, identified its occurrence in chip code that utilizes a “Gather” instruction for quick access to scattered data in memory.

This vulnerability is labeled “Gather Data Sampling,” referencing one of Moghimi’s techniques to exploit the flaw.

The flaw affects chip families like Skylake (2015-2019), Tiger Lake (2020), and Ice Lake (2019-2021). However, the latest chip generations, such as Alder Lake, Raptor Lake, and Sapphire Rapids, are immune due to recent added defenses.

The fixes for this vulnerability are being introduced with an option to disable them, considering potential performance impacts on specific workloads.

Intel indicates that the majority of workloads will not experience reduced performance, though certain vectorization-heavy tasks might be affected.

Moghimi, who is set to present his findings at the upcoming Black Hat security conference, suggests the need for an agile approach to issuing firmware and microcode fixes.

While Intel considers ‘Downfall’ attacks to be complex, Moghimi emphasizes that proof of concept development took only a few weeks. He underlines the potential severity of the flaw, enabling attackers to extract sensitive data over time, albeit requiring substantial effort.

Moghimi notes that ‘Downfall’ seems exclusive to Intel chips but encourages other manufacturers to learn from this situation for enhanced verification.