Banks, telcos work urgently to combat cyber security flaws

Almost all computers and smartphones at risk

Essential-services sectors in Singapore are working to mitigate cybersecurity risks linked to two critical hardware flaws discovered last year but made public only last week.

Major banks here and telcos Singtel, StarHub and M1 told The Straits Times they are applying available security software fixes to mitigate Meltdown and Spectre, the two major flaws affecting almost all computers and smartphones.

Some companies have also issued alerts to customers to do the same.

"As a responsible Internet service provider, we always ensure that our network equipment runs the latest software patches," said StarHub, urging customers to update the software for their Internet-facing devices.

A Singtel spokesman said: "We advise our customers to monitor the websites of product vendors and device manufacturers for software patches and immediately update their devices with these patches when they are available."

Billions of computers and smartphones are compromised as they were built using the same processors designed by Intel, Advanced Micro Devices (AMD) and ARM, where the two flaws were discovered.

Major banks such as DBS Bank, OCBC Bank and United Overseas Bank said they are installing the software fixes as part of their routine risk management process.

ST understands that banks generally use a mixture of Linux and Windows systems for banking operations, and these systems run mostly on Intel processors. For certain tasks, some banks use expensive Unix systems that are not affected by the chip flaws.

The alert was given after the Singapore Computer Emergency Response Team (SingCert) issued an advisory on the flaws which, combined, affect practically all computers and smartphones.

The vulnerabilities allow hackers to access the deep recesses of a computer's memory and steal data, including passwords and confidential documents, said SingCert.

The US government-sponsored Computer Emergency Response Team initially said the only way to fix the vulnerabilities was to replace the defective processor. It later withdrew the recommendation, instead saying those affected should install updates.

SingCert - a unit of Singapore's Cyber Security Agency that coordinates the nation's response to cyber threats and attacks - did not recommend hardware replacement.

Its advisory contains instructions to update system software.

ST understands there is no commonly available and affordable hardware alternative - all affordable processors are based on Intel, AMD and ARM designs.

Meanwhile, many vendors, including Intel, Google, Microsoft and Amazon, have started rolling out software patches to help mitigate the risk of a cyber attack, which is not known to have been launched so far.

On Thursday, Apple said Meltdown has the most potential to be exploited.

Security updates were issued last month in the iOS 11.2 operating system for smartphones, macOS 10.13.2 for computers, and tvOS 11.2 for media players.

It also said its watchOS for smartwatches did not require mitigation.

Spectre is harder to exploit than Meltdown but also harder to fix, said experts.