Many Enterprise Mobile Devices Will Never Be Patched Against Meltdown, Spectre

Mark Wilson shares a report from BetaNews: The Meltdown and Spectre bugs have been in the headlines for a couple of weeks now, but it seems the patches are not being installed on handsets. Analysis of more than 100,000 enterprise mobile devices shows that just a tiny percentage of them have been protected against the vulnerabilities -- and some simply may never be protected. Security firm Bridgeway found that just 4 percent of corporate phones and tablets in the UK have been patched against Spectre and Meltdown. Perhaps more worryingly, however, its research also found that nearly a quarter of enterprise mobile devices will never receive a patch because of their age. Organizations are advised to check for the availability of patches for their devices, and to install them as soon as possible. Older devices that will never be patched -- older than Marshmallow, for example -- should be replaced to ensure security, says Bridgeway.

What about game systems?

XBox One and PlayStation 4 both use AMD processors, but I haven't heard anyone out-and-out claim a hack is impossible.

Re:What about game systems?

[JustNiz]

I beleive that AMD devices are vulnerable too.

Re:What about game systems?

[Gravis+Zero]

I beleive that AMD devices are vulnerable too.

AMD chips are only vulnerable to Specter which isn't nearly as valuable. Meltdown is the crown jewel of hardware flaws.

Re: What about game systems?

[AvitarX]

Yeah, but the beta news article does nothing to lead me to believe that there's any check if vulnerability for the 100,000 devices analyzed.

I'm curious what percentage of the too old ones are actually vulnerable?

What percentage of the rest?

They didn't link to a source, and they never said the analysis was of vulnerable devices.

Re:What about game systems?

[slashdot_commentator]

Use your head. The only password truly vulnerable is the one to the Xbox account. You don't need to bork the console to just make it harder for a login sequence be vulnerable to a cache read.

Re: What about game systems?

[Gravis+Zero]

Percentage? it's 100% of x86 with speculative execution which is everything after 586. If it's x86 and made in the last two decades then it's vulnerable to Spectre. If it's x86 by Intel and made after 1995 then it's vulnerable to Meltdown. There are no percentages here.

Re:What about game systems?

[freeze128]

How are you going to load exploit code onto a closed system?

Re: What about game systems?

[AvitarX]

Yeah, I misread, or posted on the wrong comment.

The article still makes me wonder how many enterprise mobile devices are actually vulnerable, almost certainly very few of the too old to be patched set.

Re:What about game systems?

Wouldn't you need to be able to actually run your stuff first?
If you can already do that, the console is hacked.

Re:What about game systems?

[sound+vision]

Are those AMD CPUs, or just AMD graphics? Also, what data do you have on your X-Bone that someone would be interested in compromising? Is it typical to have credit card information saved to it? I haven't bought a game console since the PS2.

Re: What about game systems?

Amusingly, my old Windows 10 phone received a January 3 patch even though stuck on 1511 (no further upgrades allowed because "not compatible" though it runs fine most of the time), which otherwise is no longer receiving updates after November 2017. Interesting? WinPhones were used in a number of corporate settings due to easier manageability than Android or Apple, though that issue is more or less behind us now. And it's on a very old (though quad-core) Snapdragon chip, so I suspect the patch does little or nothing other than, possibly, some minor stuff related to Spectre. Wonder if the patch was pushed due to remaining corporate usage? Would the small number of still-used Windows phones that got the patch change the percentages any (ha ha /s)?

Re: What about game systems?

[dryeo]

The early Intel Atoms aren't vulnerable as they didn't do speculative execution and are closer to 10 years old.
https://en.wikipedia.org/wiki/...

Re:What about game systems?

AMD APUs, actually:

https://www.anandtech.com/show/11992/the-xbox-one-x-review/3

That's just the latest one. There's a slower APU in the original Xbox One.

As for WHY you would want to compromise it . . . botnet?

Re:What about game systems?

They're both AMD CPUs and AMD graphics. I don't know what a hacker could gain from compromising your console, but I believe the community as a whole could benefit from the vulnerabilities if they help jailbreak these devices.

Re: What about game systems?

[AvitarX]

It looks like they released the patch to phones that weren't affected.

http://allaboutwindowsphone.co...

Meltdown

I'm waiting for the headline that 0% of enterprise devices are patched against meltdown.

Oh the horror, all those ARM devices that still aren't patched against this Intel bug...

Re:Meltdown

[AC-x]

Some ARM CPUs are also vulnerable.

Re:Meltdown

[110010001000]

The only ARM chip that is vulnerable to Meltdown is the not yet released A75 (co-designed by intel). Meltdown is an Intel bug.

Re:Meltdown

[gl4ss]

they could be using intel chipped phones.
though I really doubt it. never sold well.

also, ANY older than marshmallow phone has probably a dozen ways to gain root on it, so it doesn't even matter.

Re: Meltdown

False.

AMD and ARM have vulnerabilities going back years. iOS has a patch for current phones and tablets. Android has one as well.

Try reading next time.

Re: Meltdown

Try reading next time.

Someone really needs to take their own advice.
The subject was MELTDOWN, which is the INTEL bug.
Your welcome.

Re:Meltdown

they could be using intel chipped phones.
though I really doubt it. never sold well.

also, ANY older than marshmallow phone has probably a dozen ways to gain root on it, so it doesn't even matter.

But that won't stop news articles about all the phones and tablets that aren't patched against a bug that doesn't affect them.

Intel has done an incredible job trying to play off Meltdown as if it wasn't an issue that only affects them, which it absolutely is. Hell, even on this very site we have people that are obviously confused about it, and we should be the ones that know what the deal is.

Knock yourselves out, hax0rz

[Seven+Spirals]

Uhm, my cell phone doesn't have Wifi or a TCP/IP stack of any kind and has some rinky dink Sharp processor running Symbian. You'll need to go stand at the cell tower if you want try hacking it. Good luck. Oh for computing? I use a fucking computer with a real keyboard that I can type 118 WPM on. Face it phones are for chumps. You ain't writing code on that little turd, you're consuming media.

Re:Knock yourselves out, hax0rz

[Seven+Spirals]

Also, the processor simply doesn't have branch prediction at all. So, I'm pretty damn sure it's immune. However, there aren't countermeasures for Stingray. So, if you are into crime take a page from the mob: don't be a dumbass that does bidness over the phone (or texting). If you don't avoid phones, it's just a matter of time before you are caught.

Re:Knock yourselves out, hax0rz

Anyway who cares - most people will get a new phone. This is just noise to sue large corporations so lawyers can get cash.

Best game in America now is using the court system to grab cash. Shoulda been a lawyer instead of an engineer.

Re:Knock yourselves out, hax0rz

Cool man, can you order us an Uber to go over to the big code monkey conference across town? Oh, you have a dadphone, my bad.

Re:Knock yourselves out, hax0rz

Yeah, has lots of Dad money too. Just orders a Limo; leaves you and your nipple faced girl friend to ride in them losers cars.

Re:Knock yourselves out, hax0rz

[arglebargle_xiv]

Even if the CPU is one of the vulnerable ones, a lot of embedded devices/mobile/whatever are fixed-function and so will never be vulnerable to an actual attack because the attacker can't get their software running on the device. I've got a pile of vulnerable hardware here that isn't going to get patched both because the vendors probably won't bother but also because there's no need to patch, they only do one thing and running third-party software isn't it.

Re: Knock yourselves out, hax0rz

Money I saved from not owning a smartphone went to buying a Rolls and hiring a chauffeur. Donâ(TM)t need Uber

Re:Knock yourselves out, hax0rz

[geekmux]

Anyway who cares - most people will get a new phone. This is just noise to sue large corporations so lawyers can get cash.

Most people don't have a damn clue what "meltdown" or "spectre" is, nor do they care. People will get a new phone only if they need a new phone for reasons other than having a vulnerable device. Security is about the last priority when it comes to phone hardware replacement.

Best game in America now is using the court system to grab cash. Shoulda been a lawyer instead of an engineer.

Not gonna argue with you there. The real problem with litigation running rampant through our legal system is the end result; a good chunk of our paycheck ends up going towards various flavors of this shit we call "insurance", and none of it is getting any cheaper.

Re: Knock yourselves out, hax0rz

You are a liar. The bug in the formatting of your comments indicates that your post was done from an iPhone or iPad. Discuss....

Re:Knock yourselves out, hax0rz

If you had money you wouldn't be crying that an iphone costs 1k, you'd just whip out some cash and cop one. You're probably some unemployed babyboomer who blames "age discrimination" for why no one wants to hire your ass, but really no one is interested in hiring a tech you can't even handle an iphone.

Re:Knock yourselves out, hax0rz

Don't need it. The Limo has a phone and computer and etc. You keep your leash, spy device and I'll keep being happy and disconnected after work. Now get back to those after hours backups, son.

Re:Knock yourselves out, hax0rz

[AmiMoJo]

I thought most ARM CPUs were not vulnerable, or at least not to any significant extent.

Also, it's not true that these devices will never get patches. They might not get them from the manufacturer, but if they are running Android they will get them from the Play store. Previously Google has mitigated similar issues that way.

Re:Knock yourselves out, hax0rz

Old school here...been coding since late 1970's. Just finished a website done entirely on my rooted 2015 $199 stock android 5.5" phone. Get with the fucking times, 'tard. Desktops are so 1995. Laptops even. Lol.

Re: Knock yourselves out, hax0rz

[cyber-vandal]

Can Google patch kernels via the Play Store?

Re: Knock yourselves out, hax0rz

[AmiMoJo]

No, that's why they moved everything they could move out of the kernel.

Remember that Android runs SELinux and apps are heavily sandboxed, so there is a lot more they can do to control them without needing to patch the kernel.

Re: Knock yourselves out, hax0rz

[cyber-vandal]

So they can patch the vulnerability we're talking about here then?

Re: Knock yourselves out, hax0rz

[AmiMoJo]

Yes, it looks like they can effectively mitigate it. If it was Meltdown they would be screwed, but that doesn't affect these CPUs.

Re: Knock yourselves out, hax0rz

[cyber-vandal]

I can't see any mention of a mitigation via the Play Store https://9to5google.com/2018/01... and manufacturers seem to be rolling out patches for some but not all devices.

Re: Knock yourselves out, hax0rz

[AmiMoJo]

Those are OS updates for Google phones, not Play updates.

If you look at what is required to mitigate Spectre, you can see that a kernel update isn't required. At the moment there is no known practical attack using Spectre anyway.

Re: Knock yourselves out, hax0rz

[cyber-vandal]

Link?

Re: Knock yourselves out, hax0rz

[AmiMoJo]

https://meltdownattack.com/#fa...

Check the stuff relevant to Spectre.

Re: Knock yourselves out, hax0rz

[cyber-vandal]

There's nothing in there about Google Play and the security advisory only talks about updating to the latest version of Android. It's appalling that there are phones being sold today that will always be vulnerable to this attack.

Re:Knock yourselves out, hax0rz

[morkk]

so it's taken since the late 1970's to complete your website? mebbe you should have used a PC instead of your phone! ;->

that's what you get for using Android!

Hey, It's open source so you can always patch it yourself, except YOU CAN'T! lollll

Re:that's what you get for using Android!

[slashdot_commentator]

Actually you can. But you're going to lose all those proprietary blobs of binary used to run the camera or manage your phone call packets to audio.

Re:that's what you get for using Android!

and some stupid application will refuse to run because you are not using official rom (like f*** cogeco tivo)

Mobile devices with meltdown?

I thought Intel gave up on mobile processors.

Re:Mobile devices with meltdown?

[AC-x]

Meltdown? On my smartphone? It's more likely than you think.

Fix our devices?

But that costs MONEY!!!!!!!!! The stockholders won't like it!

Patching = degrading

[RhettLivingston]

Since installing patched software, I'm suddenly having to charge my phone (pixel) twice a day instead of just at night and the fan on my laptop (quad-core Intel processor / ubuntu 17.10) has been steadily running whereas before I could rarely hear it. It's very annoying.

These "bugs" are going to end up being the biggest windfall processor manufacturers have seen in years. Unless these patches are radically improved, all of these devices are going to need to be replaced much sooner than planned.

Re:Patching = degrading

[RhettLivingston]

Note that I've done no comprehensive analysis to make sure the patches are the problem and I'm pretty sure that my laptop has only received the Meltdown patch with Spectre yet to hit.

I'm much more sure of the laptop issue being related to a kernel update (because I noticed it as soon as I rebooted) than the phone. But all of that is somewhat irrelevant.

Fair or not, the minds of users are going to be focused on performance for a while and any performance issues over the next few months will likely be blamed on Meltdown/Spectre patches first.

Re:Patching = degrading

I have none of these problems on my MacBook Pro and iPhone running with the latest patches.

Re:Patching = degrading

Good for you. I can replace my laptop (which outperforms a MacBook Pro) and still have spent less on the two laptops combined than what a MacBook Pro costs. And how can you stand using a tiny 15" screen?

Re:Patching = degrading

My PC running an Intel I7 cpu was determined to not have the vulnerability, according to Microsoft's update checker.
Just what is the percentage of modern Intel CPUs that don't have the problem?

Re:Patching = degrading

So few that I don't believe that your i7 was determined to not have the vulnerability, at least without it being patched.

Re:Patching = degrading

[PingSpike]

0%. Intel products all have meltdown, with the possible exception of some old Atom products and stuff from 1995 and earlier.

The most likely explanation is that you already have the patch to mitigate meltdown.

Well like most Anroid devices

The OEM won't even acknowledge that they made the phone after two months so why do you expect they would get things like updates!

Poll method

[manu0601]

Given the mess of patch availability, I wonder how they can sort the cases where patch is not installed, patch is not yet available, and patch will never be available

Keep your best secrets off your networks

[AHuxley]

until the new CPU's are ready.
Use existing junk devices to not talk about your projects, secrets.

Kernel devs are too busy promoting...

...more kernel modules for crap we don't need in hopes we forget about this to fix these issues in a timely manner. "Let Windows and Mac fix it while we add VirtualBox module by default in 4.16 release."

safe

Since they refuse to tell us, I assume that the vulnerable processors can only be hacked by someone physically accessing the device and planting malware with a USB stick or cd/dvd.

For enterprise devices does it matter?

[SuperKendall]

These vulnerabilities only are problems if other software comes to be run on the system that is compromised, and able to target other apps running on the same device...

For most enterprise devices, they aren't going to be having other apps installed. They probably aren't going to be running anything but company apps, the web browser if at all using company web pages. So it hardly matters if this security issue is present.

On top of that, very probably for most mobile devices and especially older ones with little memory, most applications will be pushed out of memory quickly anyway so there's nothing to scan (and again it would have to be running as well because the vulnerabilities only let you see the contents of processor memory to begin).

Re:For enterprise devices does it matter?

[cccc828]

For most enterprise devices, they aren't going to be having other apps installed. They probably aren't going to be running anything but company apps, the web browser if at all using company web pages. So it hardly matters if this security issue is present.

The problem is that running JavaScript is enough, see for example: https://webkit.org/blog/8048/what-spectre-and-meltdown-mean-for-webkit/. And most devices that do have a browser will at some point in time use it to access untrusted hosts...

Re:For enterprise devices does it matter?

The problem is that this is bullshit.

The proof on concept was only able to access memory within a very limited scope. Also to perform this attack, you need very specific information on the target systems memory, busspeed, CPU and browser(version).

It is very difficult to implement and will probably not be suitable for mass attacks, but even if you do, the result will be mostly useless garbage.

Stop parroting this utter nonsense on how JavaScript is completely an attack vector.

Re:For enterprise devices does it matter?

[ageoffri]

I don't know where you work, but my current company and the one before, nearly everyone with a corporate phone installed multiple apps, especially games. They also browsed to what they wanted to.

Re:For enterprise devices does it matter?

[SuperKendall]

Even were that true (see other response for reasons why it's probably not a viable attack vector) it SITLL means whatever else you are targeting has to be running simultaneously... have you RUN Chrome lately? Now imagine what else could possibly be running on a older mobile device with limited memory and CPU at the same time...

Re: For enterprise devices does it matter?

Just running Chrome is enough by itself. Most people running Chrome have it remember all their web site passwords and cookies for them. From there, the crackers can run amok quite easily.

Device manufacturers are celebrating...

I'm not sure a CPU engineer could formulate a better way to guarantee several billion devices will become obsolete, thereby ensuring huge volumes of future sales.

Meltdown and Spectre are a huge win for numerous manufacturers.... =(

Marketing 101...

Make a product with a vulnerability that will require buying the a new model in 5-10 years or earlier.

Re:Marketing 101...

[infolation]

Unplanned obsolescence!

Re: Android what a JOKE!!

Not true. The oldest iOS device that's affected by this is the iPhone 5 (iPhones prior to that didn't do speculative execution), Apple released a patch for the 5 (and all later devices).

As much as the parent poster tried to make this seem like a reason not to buy Apple, it really is a good reason to buy Apple. Every iOS device affected by these bugs has been patched, including 5 year old ones. There's likely Android devices STILL BEING SOLD that will never be patched.

Older than Marshmallow???

[slashdot_commentator]

Try older than Oreo. My Moto X is at Nougat, and I'm not holding my breath for Lenovo ever putting out a support patch for a phone that is over 2 years old. I'll just have to bork my phone to the latest LineageOS, or get a new one.

Re:Older than Marshmallow???

Actually arent some qualcom arm chips vulnerable.

Re:Older than Marshmallow???

Re, the Moto: has Lenovo pushed out ANY security patches? If not, why should the Meltdown/Spectre patch be any different?

Re:Older than Marshmallow???

I have a Moto G5 plus. The phone was released last March, and it has had exactly one update (to Aug 1 patch level). They claim that it's going to be upgraded to Oreo, but I've already given up hope that that will happen, and I'm planning to root it and install Oreo myself if they don't patch it on Feb 1st.

tl:dr: Motorola / Lenovo didn't bother to patch KRACK, so they're not going to patch Spectre. Fuck Motorola / Lenovo. I'll buy Apple, Google, or Samsung next time.

Re:Older than Marshmallow???

[slashdot_commentator]

I don't see the point in splitting hairs. All current ARM chips are probably vulnerable to SPECTRE, and possibly MELTDOWN.

Re:Older than Marshmallow???

[slashdot_commentator]

The last Moto security patch that Lenovo pushed out was the 12/2016 patch for Marshmallow. Lenovo has put out the Nougat upgrade (7.0, not 7.1), which is supposedly patched out to 9/2017, so its safe from KRACK(?), Heartbleed, etc., but obviously not SPECTRE. (Meltdown?)

Re:Older than Marshmallow???

Not the zillions with Cortex A53 and similar.

Re: Enterprise means android?

Incorrect - the iPhone 5 is the oldest iOS device with a CPU that does speculative execution, and it has been patched.

Where are the attacks then?

If this is all so dire, where are the attacks?

if every single everything is vulnerable, you're telling me that not one person has a working malware with this yet?

Trust me, if sophos or someone else discovered one, it would be front page news. So i question how big of a deal this really is.

Good phone design

Check out this phone by Cog and HTC: https://cog.systems/htc-secured-by-d4/ which uses virtualization and minimizes a lot of these issues by design because the vpn and its keys (etc) are totally isolated from Android. Plus I think the current one is Cortex-A53 so not impacted by side channel attacks for now. Really cool - I've just ordered one.

CONSUME!

[Sir+Holo]

C O N S U M E !

Re:CONSUME!

https://www.techarp.com/guides/complete-meltdown-spectre-cpu-list/

Re:CONSUME!

[hcs_$reboot]

https://www.wired.com/2017/07/...

Re:CONSUME!

C O N S U M E !

O B E Y !

So Android is fucked

Without patching fast, app makers on the play store can take advantage of these holes and install any number of malware. Google doesn't review manually. This will eventually get past their automated checks, and likely hundreds of millions of people will be impacted.

Original article here

The original press release in full can be found here:
https://www.bridgeway.co.uk/news/articles/only-4-percent-of-enterprise-mobile-devices-are-patched-against-meltdown-spectre-vulnerabilities-shows-latest-research

Looks like it covered both Spectre and Meltdown patches, hence the confusion caused by this article.

HTH

What about new devices?

[houghi]

So is production halted, or are the new devices and processors already adapted? They know there us an issue, so are they still selling and producing these faulty items?
Talking about the chip manufacturers, not hardware ones.

Re:What about new devices?

It takes about 6 weeks for WIP to proceed from raw wafers to finished die in a fab. So even if new designs are available, which I doubt, they won't be around for a while. And no the manufacturer is not going to junk 6 weeks of WIP either. It gets sold, warts and all.

Re:What about new devices?

[fintux]

The chip manufacturers have known about the issues already for more than six months (and also many hardware manufacturers have been aware for quite some time), but they've just kept selling hardware they knew was 1) vulnerable and 2) soon about to become somewhat slower, or much slower (in case of Intel).

Perhaps they've been designing some new hardware based on this, but I don't think they're going to change the current ones, except for shipping with newer microcode (in case of CPUs) or patched software (in case of HW manufacturers). What I believe they will do instead is to launch new products that they then advertise being much faster than the previous one (as the old ones suddenly got slower in comparison), and with extra security (as the previous ones were vulnerable).

hostage

This must be the largest ever hostage taking and extortionist plan any industry has ever dared on it's clients.

Android phone makers dropping the ball

[OneAhead]

Never mind that, my 1-year-old moto^H^H^H^HLenovo handset still hasn't been patched for the 3-months-old Krack vulnerability, which is way more readily exploitable. And the irony is that I bought that particular brand specifically because it used to have a good track record with patching (before it was taken over...)

Is it even possible to a buy mobile phone with a close-to-vanilla android install that has a realistic prospect of lasting more than a couple of years and get timely patches? I guess this whole industry is waiting for its "early 2000s" moment before changing its attitude...

Re:Android phone makers dropping the ball

This needs regulation. This fragmentation shit is getting to ridiculous levels. Maybe make the device manufacturer pay penalties of daily average world-wide group revenue per device that they refuse to keep up-to-date on security patches.

Re:Android what a JOKE!!

I prefer using an OS that gives me a sense of ownership. Just strip out GAPPS and sideload the shit you need. When iOS actually allows the phones to operate like the pocket computers they are, I refuse to look at iPhones as nothing more than overpriced toys. Why brag about the fastest processor when there's shit-all you can do with it?

This is overblown

[infernalC]

To compromise something like, for example, account credentials, you still have to execute *code* on the computer that takes advantage of the vulnerabilities.

Many (most?) older "enterprise" non-phone devices (think WinCE, Windows Embedded Handheld 8, and yes, Android whatever version) are locked down to a single application anyway, with the users not allowed to install other applications (thus preventing the devices from running the malicious code).

Serious enterprises do MDM and lock down phones. Even without MDM, if you use something like Google for your IdP, you can disallow devices from accessing company accounts if they've been rooted or bootloader-unlocked from the Google Admin console.

I hate BYOD, by the way.

Re:This is overblown

The attack demo was made with running javascript code...
Since it use interrupt timing, the fix was to disable high precision timer in the web browser.

2015?

> Older devices that will never be patched -- older than Marshmallow, for example -- should be replaced to ensure security, says Bridgeway.

A Google search reveals it was shown in May, 2015 and stable 6.01 was released in October. So, they're saying anything older than that is compromised.

Nice.

For desktops, it will be AMD from now on -- if Intel did this on purpose, it will cost them dearly; for mobile, I'll have to check, but Asus seem to use Intel, so... no Asus, for starters.

2015 my arse.

It's not just the enterprise

I have 4 tablets here at home, running Android 2.1, 4.3, 4.4 and 6.0.

None of these have ever seen a single OS update throughout their entire lifetimes. "Too old"? When I buy a brand new tablet, I'd expect to leave the store, get home, look for updates, and find *something*. But no, these have all been abandonware the moment I've left the store.

I'm done with Android. And I refuse to give Apple a penny. What does that leave me with?

Consider that yet, my Windows Phone, a "dead" platform that has never seen any market share, was already patched a few weeks ago. WTF?