Profit through vulnerabilities


There are many aspects of Meltdown and Spectre that have an unpleasant aftertaste. One of these is the sale of a multi-million dollar Intel stock package shortly before the vulnerabilities in Intel's processors became publicly known.

The fact that you can earn money with security gaps through other means than bug bounties should be clear by the time reports about security flaws in pacemakers became known. A considerable amout of profit was generated back then by skillfully combining forward transactions with publishing data about a serious security flaw. Even if pacemakers and processors have little to do with each other as such, our prediction that we made little over a year ago has become true: that the advance knowledge of a security gap can be used to make profits in the stock markets.

The Price of Profit

All this happens on the back of the user. If manufacturers are aware of a security vulnerability at an early stage (such as St Jude Medical or now Intel) and, on the basis of this information, first of all make sure their financial assets are high and dry before the share price falls due to the publication of the reports, then this has far more than just an unpleasant aftertaste. It could be assumed that security is at the expense of the profits of individuals or a company. In the current case in particular, the potential impact of hardware vulnerabilities affects far more people than in the case of vulnerable pacemakers. Safety should be a top priority here.

Trust is good - but how to verify?

The fact that information that has an impact oin billions of systems and millions of people was only published almost six months later does little to increase the confidence of users. The opposite is true. And this mistrust also rubs off on other areas. According to a G DATA study, seven out of ten users are not convinced that their data is secure (online shopping). This number can certainly be transferred to other fields to a certain extent.

Trust (both in the manufacturer and its security concept) is one of the most important pillars with which the overall structure "IT security" stands - and falls.