Advertisement

Intel told Chinese firms of Meltdown flaws before the US government

It raises concerns that China could have exploited the security holes.

Thomas Samson/AFP/Getty Images

Intel may have been working with many tech industry players to address the Meltdown and Spectre flaws, but who it contacted and when might have been problematic. Wall Street Journal sources have claimed that Intel initially told a handful of customers about the processor vulnerabilities, including Chinese tech companies like Alibaba and Lenovo, but not the US government. While the chip giant does have to talk to those companies to coordinate fixes, the Chinese government routinely monitors conversations like this -- it could have theoretically exploited the holes to intercept data before patches were available.

An Intel spokesman wouldn't detail who the company had informed, but said that the company couldn't notify everyone (including US officials) in time because Meltdown and Spectre had been revealed early. Lenovo said the information was protected by a non-disclosure agreement. Alibaba has suggested that any accusasions of sharing info with the Chinese government was "speculative and baseless," but this doesn't rule out officials intercepting details without Alibaba's knowledge.

There's no immediate evidence to suggest that China has taken advantage of the flaws, but that's not the point -- it's that the US government could have helped coordinate disclosures to ensure that enough companies had fixes in place. Big names like Apple, Amazon, Google and Microsoft were ready relatively quickly, but most everyone else was left racing to fix or mitigate the flaws. That could have led to attacks on vendors that weren't in the early list, but were still running critical systems.

Intel is between a rock and a hard place in situations like this. There's no question that it has to notify partners, but it also has to limit those notifications to minimize leaks before patches are ready. The issue, as you might guess, is that the company didn't appear to have accounted for the cyberwarfare implications of who it notified first.