Hardware vs. Software Vulnerabilities

The Intel chip vulnerability that has made recent headlines is a problem that will likely have lasting implications. 

“This is a serious vulnerability with wide ranging implications, affecting everything from desktops and laptops, to mobile and embedded devices, to servers and cloud infrastructure,” said Chris Domas, Battelle Cyber Scientist. “That said, these vulnerabilities are difficult to exploit, and require an intimate knowledge of CPU architecture. It should be a while before we see these being used in the wild.”

He said the vulnerability is not something consumers should panic about. 

“The careful, responsible disclosure by the researchers, and coordinated efforts from chip manufacturers, operating system designers and web browser architects, have helped ensure many mitigations are already in place,” Chris said. “The average user does not need to panic. Updating your operating system, your web browser and installing an ad-blocker should suffice. Keep these updated, as research into these vulnerabilities progresses.” 

The Intel vulnerability is a bit different than the other cyber security challenges that typically make headlines. Those are usually more about software. But this incident relates to hardware. 

Software vs. Hardware Vulnerabilities

Hardware and software vulnerabilities are apples and oranges. One is not necessarily better or worse than the other. Each has its own challenges, tradeoffs and impacts, and has to be understood on a case-by-case basis. 

Chris said there are tens of thousands of software vulnerabilities for every hardware vulnerability. Something like this only comes around once a decade, so it’s a rarity, which is good since detection of hardware vulnerabilities is difficult. 

“The industry has an arsenal of tools to help us find software vulnerabilities – code auditors, fuzzers, debuggers, static analyzers – but little for hardware vulnerabilities like this,” he said.

Hardware vulnerabilities are more difficult and slower to patch than their software counterparts.

“But on the other hand, they often require more intimate knowledge of processor internals, which can make attackers slower to adopt them. Because of this, software vulnerabilities tend to have a more immediate, but shorter-lived, impact on security while hardware vulnerabilities may linger with us for decades,” said Chris. 

Learn more about the work Battelle is doing in cybersecurity
Learn More