In 2013, a teenager named Jann Horn attended a reception in Berlin hosted by Chancellor Angela Merkel. He and 64 other young Germans had done well in a government-run competition designed to encourage students to pursue scientific research.
In Horn’s case, it worked. Last summer, as a 22-year-old Google cybersecurity researcher, he was first to report the biggest chip vulnerabilities ever discovered. The industry is still reeling from his findings, and processors will be designed differently from now on. That’s made him a reluctant celebrity, evidenced by the rousing reception and eager questions he received at an industry conference in Zurich last week.
Interviews with Horn and people who know him show how a combination of dogged determination and a powerful mind helped him stumble upon features and flaws that have been around for over a decade but had gone undetected, leaving most personal computers, internet servers and smartphones exposed to potential hacking.
Other researchers who found the same security holes months after Horn are amazed he worked alone. “We were several teams, and we had clues where to start. He was working from scratch,” said Daniel Gruss, part of a team at Graz University of Technology in Austria that later uncovered what are now known as Meltdown and Spectre.
Horn wasn’t looking to discover a major vulnerability in the world’s computer chips when, in late April, he began reading Intel Corp. processor manuals that are thousands of pages long. He said he simply wanted to make sure the computer hardware could handle a particularly intensive bit of number-crunching code he’d created.
But Zurich-based Horn works at Project Zero, an elite unit of Alphabet Inc.’s Google, made up of cybersleuths who hunt for “zero day” vulnerabilities, unintended design flaws that can be exploited by hackers to break into computer systems.
So he started looking closely at how chips handle speculative execution — a speed-enhancing technique where the processor tries to guess what part of code it will be required to execute next and starts performing those steps ahead of time — and fetching the required data. Horn said the manuals stated that if the processor guessed wrong, the data from those misguided forays would still be stored in the chip’s memory. Horn realized that, once there, the information might be exposed by a clever hacker.
“At this point, I realized that the code pattern we were working on might potentially leak secret data,” Horn said in emailed responses to Bloomberg questions. “I then realized that this could — at least in theory — affect more than just the code snippet we were working on.”
That started what he called a “gradual process” of further investigation that led to the vulnerabilities. Horn said he was aware of other research, including from Gruss and the team at Graz, on how tiny differences in the time it takes a processor to retrieve information could let attackers learn where information is stored.
Horn discussed this with another young researcher at Google in Zurich, Felix Wilhelm, who pointed Horn to similar research he and others had done. This led Horn to what he called “a big aha moment.” The techniques Wilhelm and others were testing could be “inverted” to force the processor to run new speculative executions that it wouldn’t ordinarily try. This would trick the chip into retrieving specific data that could be accessed by hackers.