Many Enterprise Mobile Devices Will Never Be Patched Against Meltdown, Spectre

Mark Wilson shares a report from BetaNews: The Meltdown and Spectre bugs have been in the headlines for a couple of weeks now, but it seems the patches are not being installed on handsets. Analysis of more than 100,000 enterprise mobile devices shows that just a tiny percentage of them have been protected against the vulnerabilities -- and some simply may never be protected. Security firm Bridgeway found that just 4 percent of corporate phones and tablets in the UK have been patched against Spectre and Meltdown. Perhaps more worryingly, however, its research also found that nearly a quarter of enterprise mobile devices will never receive a patch because of their age. Organizations are advised to check for the availability of patches for their devices, and to install them as soon as possible. Older devices that will never be patched -- older than Marshmallow, for example -- should be replaced to ensure security, says Bridgeway.

Knock yourselves out, hax0rz

[Seven+Spirals]

Uhm, my cell phone doesn't have Wifi or a TCP/IP stack of any kind and has some rinky dink Sharp processor running Symbian. You'll need to go stand at the cell tower if you want try hacking it. Good luck. Oh for computing? I use a fucking computer with a real keyboard that I can type 118 WPM on. Face it phones are for chumps. You ain't writing code on that little turd, you're consuming media.

Re:Knock yourselves out, hax0rz

[Seven+Spirals]

Also, the processor simply doesn't have branch prediction at all. So, I'm pretty damn sure it's immune. However, there aren't countermeasures for Stingray. So, if you are into crime take a page from the mob: don't be a dumbass that does bidness over the phone (or texting). If you don't avoid phones, it's just a matter of time before you are caught.

Re:Knock yourselves out, hax0rz

[arglebargle_xiv]

Even if the CPU is one of the vulnerable ones, a lot of embedded devices/mobile/whatever are fixed-function and so will never be vulnerable to an actual attack because the attacker can't get their software running on the device. I've got a pile of vulnerable hardware here that isn't going to get patched both because the vendors probably won't bother but also because there's no need to patch, they only do one thing and running third-party software isn't it.

Re:Knock yourselves out, hax0rz

[geekmux]

Anyway who cares - most people will get a new phone. This is just noise to sue large corporations so lawyers can get cash.

Most people don't have a damn clue what "meltdown" or "spectre" is, nor do they care. People will get a new phone only if they need a new phone for reasons other than having a vulnerable device. Security is about the last priority when it comes to phone hardware replacement.

Best game in America now is using the court system to grab cash. Shoulda been a lawyer instead of an engineer.

Not gonna argue with you there. The real problem with litigation running rampant through our legal system is the end result; a good chunk of our paycheck ends up going towards various flavors of this shit we call "insurance", and none of it is getting any cheaper.

Re:Knock yourselves out, hax0rz

[AmiMoJo]

I thought most ARM CPUs were not vulnerable, or at least not to any significant extent.

Also, it's not true that these devices will never get patches. They might not get them from the manufacturer, but if they are running Android they will get them from the Play store. Previously Google has mitigated similar issues that way.

Re: Knock yourselves out, hax0rz

[cyber-vandal]

Can Google patch kernels via the Play Store?

Re: Knock yourselves out, hax0rz

[AmiMoJo]

No, that's why they moved everything they could move out of the kernel.

Remember that Android runs SELinux and apps are heavily sandboxed, so there is a lot more they can do to control them without needing to patch the kernel.

Re: Knock yourselves out, hax0rz

[cyber-vandal]

So they can patch the vulnerability we're talking about here then?

Re: Knock yourselves out, hax0rz

[AmiMoJo]

Yes, it looks like they can effectively mitigate it. If it was Meltdown they would be screwed, but that doesn't affect these CPUs.

Re: Knock yourselves out, hax0rz

[cyber-vandal]

I can't see any mention of a mitigation via the Play Store https://9to5google.com/2018/01... and manufacturers seem to be rolling out patches for some but not all devices.

Re: Knock yourselves out, hax0rz

[AmiMoJo]

Those are OS updates for Google phones, not Play updates.

If you look at what is required to mitigate Spectre, you can see that a kernel update isn't required. At the moment there is no known practical attack using Spectre anyway.

Re: Knock yourselves out, hax0rz

[cyber-vandal]

Link?

Re: Knock yourselves out, hax0rz

[AmiMoJo]

https://meltdownattack.com/#fa...

Check the stuff relevant to Spectre.

Re: Knock yourselves out, hax0rz

[cyber-vandal]

There's nothing in there about Google Play and the security advisory only talks about updating to the latest version of Android. It's appalling that there are phones being sold today that will always be vulnerable to this attack.

Re:Knock yourselves out, hax0rz

[morkk]

so it's taken since the late 1970's to complete your website? mebbe you should have used a PC instead of your phone! ;->

Re:What about game systems?

[JustNiz]

I beleive that AMD devices are vulnerable too.

Patching = degrading

[RhettLivingston]

Since installing patched software, I'm suddenly having to charge my phone (pixel) twice a day instead of just at night and the fan on my laptop (quad-core Intel processor / ubuntu 17.10) has been steadily running whereas before I could rarely hear it. It's very annoying.

These "bugs" are going to end up being the biggest windfall processor manufacturers have seen in years. Unless these patches are radically improved, all of these devices are going to need to be replaced much sooner than planned.

Re:Patching = degrading

[RhettLivingston]

Note that I've done no comprehensive analysis to make sure the patches are the problem and I'm pretty sure that my laptop has only received the Meltdown patch with Spectre yet to hit.

I'm much more sure of the laptop issue being related to a kernel update (because I noticed it as soon as I rebooted) than the phone. But all of that is somewhat irrelevant.

Fair or not, the minds of users are going to be focused on performance for a while and any performance issues over the next few months will likely be blamed on Meltdown/Spectre patches first.

Re:Patching = degrading

[PingSpike]

0%. Intel products all have meltdown, with the possible exception of some old Atom products and stuff from 1995 and earlier.

The most likely explanation is that you already have the patch to mitigate meltdown.

Well like most Anroid devices

The OEM won't even acknowledge that they made the phone after two months so why do you expect they would get things like updates!

Re:What about game systems?

[Gravis+Zero]

I beleive that AMD devices are vulnerable too.

AMD chips are only vulnerable to Specter which isn't nearly as valuable. Meltdown is the crown jewel of hardware flaws.

Poll method

[manu0601]

Given the mess of patch availability, I wonder how they can sort the cases where patch is not installed, patch is not yet available, and patch will never be available

Re:Meltdown

[AC-x]

Some ARM CPUs are also vulnerable.

Keep your best secrets off your networks

[AHuxley]

until the new CPU's are ready.
Use existing junk devices to not talk about your projects, secrets.

Re:Mobile devices with meltdown?

[AC-x]

Meltdown? On my smartphone? It's more likely than you think.

Re: What about game systems?

[AvitarX]

Yeah, but the beta news article does nothing to lead me to believe that there's any check if vulnerability for the 100,000 devices analyzed.

I'm curious what percentage of the too old ones are actually vulnerable?

What percentage of the rest?

They didn't link to a source, and they never said the analysis was of vulnerable devices.

Re:Meltdown

[110010001000]

The only ARM chip that is vulnerable to Meltdown is the not yet released A75 (co-designed by intel). Meltdown is an Intel bug.

For enterprise devices does it matter?

[SuperKendall]

These vulnerabilities only are problems if other software comes to be run on the system that is compromised, and able to target other apps running on the same device...

For most enterprise devices, they aren't going to be having other apps installed. They probably aren't going to be running anything but company apps, the web browser if at all using company web pages. So it hardly matters if this security issue is present.

On top of that, very probably for most mobile devices and especially older ones with little memory, most applications will be pushed out of memory quickly anyway so there's nothing to scan (and again it would have to be running as well because the vulnerabilities only let you see the contents of processor memory to begin).

Re:For enterprise devices does it matter?

[cccc828]

For most enterprise devices, they aren't going to be having other apps installed. They probably aren't going to be running anything but company apps, the web browser if at all using company web pages. So it hardly matters if this security issue is present.

The problem is that running JavaScript is enough, see for example: https://webkit.org/blog/8048/what-spectre-and-meltdown-mean-for-webkit/. And most devices that do have a browser will at some point in time use it to access untrusted hosts...

Re:For enterprise devices does it matter?

[ageoffri]

I don't know where you work, but my current company and the one before, nearly everyone with a corporate phone installed multiple apps, especially games. They also browsed to what they wanted to.

Re:For enterprise devices does it matter?

[SuperKendall]

Even were that true (see other response for reasons why it's probably not a viable attack vector) it SITLL means whatever else you are targeting has to be running simultaneously... have you RUN Chrome lately? Now imagine what else could possibly be running on a older mobile device with limited memory and CPU at the same time...

Re:What about game systems?

[slashdot_commentator]

Use your head. The only password truly vulnerable is the one to the Xbox account. You don't need to bork the console to just make it harder for a login sequence be vulnerable to a cache read.

Re: What about game systems?

[Gravis+Zero]

Percentage? it's 100% of x86 with speculative execution which is everything after 586. If it's x86 and made in the last two decades then it's vulnerable to Spectre. If it's x86 by Intel and made after 1995 then it's vulnerable to Meltdown. There are no percentages here.

Re:that's what you get for using Android!

[slashdot_commentator]

Actually you can. But you're going to lose all those proprietary blobs of binary used to run the camera or manage your phone call packets to audio.

Re: Android what a JOKE!!

Not true. The oldest iOS device that's affected by this is the iPhone 5 (iPhones prior to that didn't do speculative execution), Apple released a patch for the 5 (and all later devices).

As much as the parent poster tried to make this seem like a reason not to buy Apple, it really is a good reason to buy Apple. Every iOS device affected by these bugs has been patched, including 5 year old ones. There's likely Android devices STILL BEING SOLD that will never be patched.

Older than Marshmallow???

[slashdot_commentator]

Try older than Oreo. My Moto X is at Nougat, and I'm not holding my breath for Lenovo ever putting out a support patch for a phone that is over 2 years old. I'll just have to bork my phone to the latest LineageOS, or get a new one.

Re:Older than Marshmallow???

[slashdot_commentator]

I don't see the point in splitting hairs. All current ARM chips are probably vulnerable to SPECTRE, and possibly MELTDOWN.

Re:Older than Marshmallow???

[slashdot_commentator]

The last Moto security patch that Lenovo pushed out was the 12/2016 patch for Marshmallow. Lenovo has put out the Nougat upgrade (7.0, not 7.1), which is supposedly patched out to 9/2017, so its safe from KRACK(?), Heartbleed, etc., but obviously not SPECTRE. (Meltdown?)

Re: Enterprise means android?

Incorrect - the iPhone 5 is the oldest iOS device with a CPU that does speculative execution, and it has been patched.

Re:What about game systems?

[freeze128]

How are you going to load exploit code onto a closed system?

Re: What about game systems?

[AvitarX]

Yeah, I misread, or posted on the wrong comment.

The article still makes me wonder how many enterprise mobile devices are actually vulnerable, almost certainly very few of the too old to be patched set.

Re:Meltdown

[gl4ss]

they could be using intel chipped phones.
though I really doubt it. never sold well.

also, ANY older than marshmallow phone has probably a dozen ways to gain root on it, so it doesn't even matter.

Re:What about game systems?

[sound+vision]

Are those AMD CPUs, or just AMD graphics? Also, what data do you have on your X-Bone that someone would be interested in compromising? Is it typical to have credit card information saved to it? I haven't bought a game console since the PS2.

CONSUME!

[Sir+Holo]

C O N S U M E !

Re:CONSUME!

[hcs_$reboot]

https://www.wired.com/2017/07/...

Re:CONSUME!

C O N S U M E !

O B E Y !

Re:Marketing 101...

[infolation]

Unplanned obsolescence!

Re: What about game systems?

[dryeo]

The early Intel Atoms aren't vulnerable as they didn't do speculative execution and are closer to 10 years old.
https://en.wikipedia.org/wiki/...

What about new devices?

[houghi]

So is production halted, or are the new devices and processors already adapted? They know there us an issue, so are they still selling and producing these faulty items?
Talking about the chip manufacturers, not hardware ones.

Re:What about new devices?

[fintux]

The chip manufacturers have known about the issues already for more than six months (and also many hardware manufacturers have been aware for quite some time), but they've just kept selling hardware they knew was 1) vulnerable and 2) soon about to become somewhat slower, or much slower (in case of Intel).

Perhaps they've been designing some new hardware based on this, but I don't think they're going to change the current ones, except for shipping with newer microcode (in case of CPUs) or patched software (in case of HW manufacturers). What I believe they will do instead is to launch new products that they then advertise being much faster than the previous one (as the old ones suddenly got slower in comparison), and with extra security (as the previous ones were vulnerable).

Android phone makers dropping the ball

[OneAhead]

Never mind that, my 1-year-old moto^H^H^H^HLenovo handset still hasn't been patched for the 3-months-old Krack vulnerability, which is way more readily exploitable. And the irony is that I bought that particular brand specifically because it used to have a good track record with patching (before it was taken over...)

Is it even possible to a buy mobile phone with a close-to-vanilla android install that has a realistic prospect of lasting more than a couple of years and get timely patches? I guess this whole industry is waiting for its "early 2000s" moment before changing its attitude...

Re: What about game systems?

[AvitarX]

It looks like they released the patch to phones that weren't affected.

http://allaboutwindowsphone.co...

This is overblown

[infernalC]

To compromise something like, for example, account credentials, you still have to execute *code* on the computer that takes advantage of the vulnerabilities.

Many (most?) older "enterprise" non-phone devices (think WinCE, Windows Embedded Handheld 8, and yes, Android whatever version) are locked down to a single application anyway, with the users not allowed to install other applications (thus preventing the devices from running the malicious code).

Serious enterprises do MDM and lock down phones. Even without MDM, if you use something like Google for your IdP, you can disallow devices from accessing company accounts if they've been rooted or bootloader-unlocked from the Google Admin console.

I hate BYOD, by the way.