Computerworld

Chip ID number continues to plague Intel

Concerns over a unique serial number that will be fused into the circuitry of every Pentium III processor continue to plague Intel just days before the new chip is due to hit the streets.

In the latest turn of events, a programmer at a German computer publication, Computer Technology, claims to have devised a method of activating and reading the serial number without the computer user's knowledge or consent. "Contrary to Intel's description so far, the system architecture allows for individual identification by software tricks," according to a statement posted on the publication's Web site.

Intel says it needs to know more about the proposed hack before it can comment on its validity. But officials at the Intel Developer Forum in Palm Springs this week have acknowledged that its processor's serial number is not immune to the efforts of a skilled hacker.

"As is the case with any software program, people with malicious intent could hack into it," said George Alfs, program manager for the PC Trades division at Intel. "But it's very unclear what they did. We'd like to understand from their technical people how they claim this can be done."

Negative publicity surrounding the serial number has generated a big headache for Intel on the eve of the Pentium III's launch. The company has said it will spend more than $US300 million in advertising alone to promote the new chip, which at its initial launch speed of 500MHz will be its fastest processor to date.

Intel maintains that the serial number will be a big plus for users by providing enhanced security for Internet activities. The serial number will provide an additional way to identify the parties in a transaction, and give network managers a way to keep track of computer assets in a corporate network, Intel said.

But civil rights groups including the American Civil Liberties Union have bristled at the implications of having a unique identification number attached to every user, and say the idea represents a threat to privacy. They argue that the serial number will allow marketing firms, the government and others to track a user's movements on the Internet and possibly gain other information about Web surfers.

Intel has said users will be able to download a software control utility from its Web site allowing them to enable and disable the serial number at will. The software also will be available from PC makers either pre-installed on computers or on CDs, according to Intel spokesman Tom Waldrop. Bowing to pressure, the company reversed earlier plans and said the control utility will be distributed so that it sets the serial number in the "disabled" position.

According to Intel, once the serial number is deactivated it can only be switched back on again by rebooting the machine, making it more difficult for a hacker to activate the serial number without the user's knowledge.

Not according to the German magazine.

"This description has proved wrong," the statement on Computer Technology's Web site asserts. "The processor expert of Computer Technology magazine, Andreas Stiller, has figured out a procedure to switch on the command for reading out the serial number by software."

According to published reports, Stiller's method uses an applet that can be sent to a user's computer over the Internet, and takes advantage of the Pentium III's power-saving "deep sleep" mode. This could allow a hacker to read users' identification numbers without their knowledge.

Because the deep sleep mode can result in a hard reset, or reboot, of the computer, this can offer an opportunity for the serial number to be turned on, according to Waldrop. However, the control utility checks the status of the serial number every 15 seconds and resets it to "disable" if that is the user's preference, he said.

At the time of writing, Intel officials said they had managed to contact a representative at Computer Technology, who apparently told them that the hack they described has been shown to work in theory but has not actually been demonstrated. Computer Technology could not be contacted today to confirm this.

"I don't think they've actually done it (hacked the serial number)," said Waldrop.

In part because of criticisms that the control utility could be vulnerable to a computer hacker, Intel devised a second, additional method by which the serial number can be disabled -- it takes the form of an "on, off" switch that can be buried in the BIOS (basic input/output system) of a PC. The BIOS is the program that runs when a system is first booted up.

However, while Intel is recommending that PC makers include the BIOS switch in systems they ship, it can't guarantee they all will. So far, some but not all of the PC manufacturers who will offer Pentium III systems have agreed to include the BIOS switch, Alfs said.

In addition, because the BIOS switch will require a greater level of technical know-how for users to operate, Intel is recommending that PC makers who do include the switch set it to the "on" position, so that users who want to take advantage of the processor serial number don't have to fiddle with the BIOS on their new system.

The upshot is that when Pentium III systems hit the shelves this week, some -- but not all -- will be equipped with a BIOS switch that allows users to disable the serial number -- if they know how.