Opinion All malicious attacks on digital systems have one common aim: taking control. Mostly, that means getting a CPU somewhere to turn traitor, running code that silently steals or scrambles your data. That code can ride into the system in a whole spectrum of ways, but usually it has to be in memory somewhere at some time, making it amenable to counter-attack.
There’s a far worse scenario, when the CPU itself is brainwashed into highly dangerous behavior like a mouse infected by a parasite that makes it completely unafraid of cats. This is a microcode attack, something that’s remarkably hard to pull off. Google just found one that works on some AMD processors, which is bad enough, even though it’s now patched and under control. There is another far, far more terrifying example underway right now – so let’s look at how it works.
Microcode is one of the most esoteric and profound aspects of the stack. It can take many forms depending on CPU architecture; its job is to coordinate and control the physical function blocks within a processor. Simple processors don’t need it. The instructions fetched from memory have an internal format making them easy to decode into the signals that trigger the logic, math, and data-moving units on the silicon.
This is ancient history for modern CPUs. Program code like x86 has long since stopped bearing any relationship to how data is physically crunched. Instead, that code is translated into micro-instructions that work with the microcode unit to optimally use all the pipelining, out-of-order execution, and inherent parallelism that speeds the plow.
This is almost entirely invisible to the outside world and is kept as secret as the details of the hardware itself. Microcode is also a fiendish exercise in mediating between intricate, interrelated subsystems, and the whole must be very high performance, very reliable, and very secure. Unpicking it is an exercise in perplexity, making compromises very difficult. But not impossible.
Compromised microcode is equally invisible, but can do anything from making 2 + 2 = 5 to poisoning all the security and memory management on which all our digital infrastructure depends. Google’s proof of concept made a random number function return a non-random result, which is how you completely cripple quotidian cryptography. Quantum computing breakthroughs are not required.
If microcode is permanently baked into a chip, it is effectively invulnerable. That has been the case in the past. Unfortunately, that means a bug in the microcode or the hardware itself can’t be fixed with a patch. The chip has to be replaced, which is the horror show Intel found itself in 1994 with the infamous Pentium FDIV bug. So microcode is now loaded into the processor at startup as an unencrypted and signed binary blob. If you’re smart enough to break that and reverse engineer the microcode, you’re in business. Google’s security engineers are smart enough, others will be too.
Microcode is the regulator of the state of the machinery with infinite disruptive power. To see the other and infinitely alarming hack going on right now, just rearrange those first few words. Regulators are the microcode of the machinery of state, with infinite disruptive power. That’s why Musk and DOGE are working so hard at taking over, closing down, and ignoring regulators. Once those are turned off, the machinery of state will be unprotected and institutionally corrupt. You don’t want Trump to have access to the data that the state has about you? How about the mechanisms of money by which the Treasury works? All the interlocking components of the state, carefully designed to follow rules to protect that data, will be open to abuse.
We know that this is a hack. It’s taking place behind closed doors with no oversight – of course – and no observable rules. It’s of a piece with the other attacks on the Department of Justice, the CIA, and any international obligations that stand between whim and warfare. Musk knows that taking over the IT infrastructure of any organization is the quickest way to commandeer the whole thing. He damn nearly broke Twitter that way, but he did get the wherewithal to drive its radioactive zombie corpse into the ground commercially.
Musk notoriously hates regulation because it just isn’t fair that it reins in his genius. He is the richest man in the free world because of, not despite, a well-ordered state where the conflicting needs of uncountable components are balanced. There is a commitment to finding facts and acting on them through rules and oversight. Like microcode, there are bugs and mechanisms for safe updates. There’s a need for constant evolution through good faith. Smash those, and everything else falls apart. Corrupt states always have corrupt regulation, honest states have honest regulation. An absolute rule.
If you want a metaphor for what the hell’s going on right now, the microcode attack is as good as any. That’s important because what’s happening is so massively and obviously illegal that it depends like all coups on everyone else being too stunned and overwhelmed by the speed and audacity of the attacks to organize before the tipping point. Having a mental model to restore context is the first step in fighting back.
And don’t you dare buy a Tesla. ®
