National Consumers League: Computer chip defects force nearly all consumers to choose between speed and security

/in , , , , , /by

October 24, 2019

Media contact: National Consumers League – Carol McKay, carolm@nclnet.org, (412) 945-3242 or Taun Sterling, tauns@nclnet.org, (202) 207-2832

New NCL #DataInsecurity report details threat these flaws pose to consumers—both in terms of the security of their data and the performance of their computers—and how they can protect themselves in the future

Washington, DC—A new report released today by the National Consumers League details how consumers have been impacted by a series of processor exploits announced over the last 22 months that leave nearly every computer and server from the past two decades vulnerable to hacking. With sensitive data at risk, patches have been issued that better secure computers and servers. However, these temporary fixes can result in significant performance problems.

The report, “Data Insecurity: How One of the Worst Computer Defects Ever Sacrificed Security for Speed,” is part of NCL’s #DataInsecurity Project. Timed to coincide with National Cybersecurity Awareness Month, the report is an opportunity to remind consumers about the importance of being safe and secure when online. The report discusses the threat these processor flaws pose to consumers—both in terms of the security of their data and the performance of their computer after the necessary security patches are applied—and how they can protect themselves in the future.

“This paper is a part of NCL’s mission to empower individuals to protect themselves from companies that put their data at risk,” said John Breyault, NCL vice president, public policy, telecommunications and fraud. “The scope and severity of these chip flaws is alarming, undermining both the security and speed of computers. Nearly two years after the flaws first made headlines, it is likely that consumers are still not fully aware of the risks they face if they do not protect themselves.”

The report details seven publicly disclosed exploits, known as “Spectre,” “Meltdown,” “Foreshadow,” “Zombieload,” “RIDL,” “Fallout,” and “SWAPGS,” that take advantage of the flaws found in CPUs manufactured by AMD, ARM, and Intel. While Spectre affects all three major chip manufacturers, all six subsequent exploits largely affect only Intel processors.

The exploits have been discovered on an ongoing basis for nearly two years, with the most recent one found in August 2019. The flaws are a result of a process called speculative execution, a functionality created in the 1990s that allows a processor to predict a user’s next action and perform it in advance, thereby reducing delays and increasing the speed of a computer. Because the flaws are foundational to how a CPU’s hardware is built, each patch is only temporary until the next exploit is discovered. Due to the nature of these flaws, the exploits that take advantage of them may not be traceable.

“Consumers are being forced to choose between the security of their data and the computer speed they were promised,” said Breyault. “We recommend consumers prioritize security, though unfortunately, it comes at a financial and performance cost.” 

The report concludes that the best protection for consumers is to buy a new computer that has a CPU with hardware-level security fixes or is immune from some of the exploits. Unfortunately, the NCL report acknowledges that this may not be practical for many consumers. Therefore, consumers are advised to perform frequent software updates. NCL is also strongly supporting data security bills such as the Consumer Privacy Protection Act of 2017 that would require companies to take preventative steps to defend against cyberattacks and data breaches and to provide consumers with notice and appropriate protection when a data breach occurs.

The full report can be found here.

###

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.

Computer chip defects force consumers to choose between speed and security

/in , , , , , , , , , , /by

October is National Cybersecurity Awareness Month! Since the first observation of this month 15 years ago, the world has gone from about 800 million Internet users to approximately 4.5 billion. Over that same period of time, there has been an extensive amount of time and energy dedicated to improving cybersecurity and cyber hygiene.

Sadly, despite those good faith efforts, it does not appear that consumers have become safer. In fact, it is clear by now that most individuals have, in one way or another, been affected by some sort of hack or data breach—either on a personal computer or through a company that they have entrusted with their sensitive information.

To make matters worse, beyond the heightened cyber threat environment that exists today, a new hardware-based vulnerability found in almost every processor in the world has recently emerged, and it is making it increasingly difficult for consumers to keep their data protected.

A new report released by the National Consumers League’s #DataInsecurity Project, “Data Insecurity: How One of the Worst Computer Defects Ever Sacrificed Security for Speed,” discusses the threat these processor flaws pose to consumers—both in terms of the security of their data and the performance of their computer after security patches are applied—and how they can protect themselves in the future.

The report details seven publicly disclosed exploits, known as “Spectre,” “Meltdown,” “Foreshadow,” “Zombieload,” “RIDL,” “Fallout,” and “SWAPGS,” that take advantage of the flaws found in CPUs manufactured by AMD, ARM, and Intel. While Spectre affects all three major chip manufacturers, all six subsequent exploits largely affect only Intel processors.

The exploits, in short, can allow a hacker to obtain unauthorized access to privileged information. And while patches have been released alongside each exploit, they have led to a decrease in computer speed and performance—as much as 40 percent according to some reports. In addition, the patch is only good until the next exploit is discovered.

The flaws create a real challenge for consumers: apply each temporary “fix” as new exploits are discovered and risk slowing down your device, or don’t and put your sensitive information at risk. And consumers who apply patches remain at the mercy of companies that hold their sensitive data and are faced with a similar dilemma, particularly as they must consider the expenses of implementing these fixes—including costs to add computing power lost by each patch.

The report concludes that the best protection for consumers is to buy a new computer that has a CPU with hardware-level security fixes or is immune from some of the exploits. Unfortunately, this is not practical for many consumers. Therefore, consumers are advised to perform frequent software updates. NCL is also strongly supporting data security bills, such as the Consumer Privacy Protection Act of 2017, which would require companies to take preventative steps to defend against cyberattacks and data breaches and to provide consumers with notice and appropriate protection when a data breach occurs.

As we mark this year’s National Cybersecurity Awareness Month, we should certainly celebrate the progress that we have made. We cannot lose sight, however, of the need to better secure our information and systems moving forward. Awareness and smart data hygiene by consumers is one part. Companies must do their part to secure our information as well.

If you are interested in learning more, you can find NCL’s latest report here.

NCL: Cars need to come with data deletion buttons to enhance consumer privacy protections

/in , , , , , , , , , , /by

October 3, 2019

Media contact: National Consumers League – Carol McKay, carolm@nclnet.org, (412) 945-3242 or Taun Sterling, tauns@nclnet.org, (202) 207-2832

Washington, DC—The National Consumers League, America’s pioneering worker and consumer advocacy organization, today called on Congress to take steps to rein in car manufacturers’ data collection practices and ensure that consumers have a mechanism to easily delete personal information collected about them by their vehicles.

Thanks to a proliferation of sensors, cellular connectivity and powerful in-car infotainment systems, modern cars can reportedly generate 25 gigabytes every hour and 4,000 gigabytes of data per day. In its new white paper, the consumer group examined the vast scope of personal information being collected about drivers by automobile companies to power a vast data engine that could be worth $750 billion by 2030.

“Every time a consumer gets in a car — whether it’s a vehicle she owns, rents, or rides in – huge amounts of personal data get shared with car companies with practically no oversight or consumer protections,” said NCL Executive Director Sally Greenberg. “We want to shine a light on car companies’ data practices and encourage Congress to create common-sense rules of road for this growing marketplace.”

The NCL white paper examines several existing laws and proposed bills to offer a framework to legislators for steps they can take to better protect the privacy and data security of the driving public. In particular, NCL is urging Congress to mandate that car manufacturers include an easy-to-use data deletion functionality in all new cars to help consumers take control over their in-car data.

“Consumers just want to get from point A to point B safely,” said Greenberg. “While the data generated by our cars can help fuel innovation in the auto industry, that shouldn’t come at the expense of our privacy. Consumers are looking to Congress to take the lead and ensure that car company’s data collection practices have some sensible guardrails.”

Read NCL’s new white paper here. (pdf)

###

About the National Consumers League

The National Consumers League, founded in 1899, is America’s pioneer consumer organization. Our mission is to protect and promote social and economic justice for consumers and workers in the United States and abroad. For more information, visit www.nclnet.org.