Security Flaw in Intel Chip, Magazine Says
SAN FRANCISCO — A German magazine claims to have discovered a security flaw in Intel Corp.’s forthcoming Pentium III microprocessor. The processor is already the target of a boycott by privacy advocates for its use of a unique serial number designed to facilitate e-commerce transactions but that can also be used to track a user’s Internet activity.
In response to widespread outcry, Intel had announced that it would ship the processor in the “off” position as the default--meaning that each PC user would need to turn the serial number on to enable Web sites to track their “click streams.”
But on Monday, c’t, a technology trade magazine, announced that it had figured out how to obtain the number in a computer with a chip in the off position, according to an article posted on the magazine’s Web site (https://www.heise.de/ct/english/).
“This has the potential to be a very serious issue for Intel if the problem can be replicated,” said Austin Hill, president of Zero-Knowledge Systems, a Montreal-based security software company.
Intel spokesman Tom Waldrop said that the company has not been able to confirm the magazine’s story, but acknowledged that “anything that can be hacked will be hacked.”
But Waldrop questioned the value of fraudulently obtaining the serial number, and defended the chip ID as beneficial to e-commerce.
“Today, essentially, all security on the Internet is software,” he said. “But security experts say that hardware, or at least hardware-assisted security measures, are the most resilient form of security.”
Bruce Schneier, president of the Minneapolis-based security consultancy Counterpane Systems, said that confidence in e-commerce would actually be undermined if the serial number scheme proves vulnerable.
A hacker could also engage in malicious mischief or sabotage, said Hill, such as reporting a computer with a specific Pentium III ID as stolen, creating problems for that computer’s user in future e-commerce transactions.
“I think Intel has avoided the real issue. This is not beneficial to e-commerce,” Hill added. He noted that because many Web users work on two or more PCs, a unique identifier for a single PC could confuse, rather than aid in secure e-commerce transactions.