Samsung has finally told consumers that their phones were unprotected from the infamous Spectre and Meltdown vulnerabilities, having found out about the issue in January 2018, finally fixing the issue in May 2018 and only just telling the world now.
Spectre and Meltdown vulnerabilities allow hackers to access passwords and keys that should be inaccessible by exploiting data made temporarily visible by the CPU.
Computer chips are weak to probing during a function called speculative execution. During this process the chip is trying to preemptively work out what data you need it and in order for it to do so it temporarily becomes more accessible to outside sources.
With the Spectre hack, attackers are able to trigger this state and then access the data they want, where as Meltdown exploited the vulnerability through a computer’s operating system.
As the issue arises from hardware design as opposed to software, this vulnerability has possibly existed for twenty years and exists on hundreds of millions of chips.
Simply being vulnerable doesn’t mean that the devices have been hacked however, with no reports of actual hacks based on the vulnerability known of.
Device manufacturers were rebuked by the United States Congress earlier this year for holding back information, leaving the government exposed to cyber attacks.