Slashdot Mirror

← Back to Stories (view on slashdot.org)

Many Enterprise Mobile Devices Will Never Be Patched Against Meltdown, Spectre (betanews.com)

Posted by BeauHD on from the troubling-findings dept.

Mark Wilson shares a report from BetaNews: The Meltdown and Spectre bugs have been in the headlines for a couple of weeks now, but it seems the patches are not being installed on handsets. Analysis of more than 100,000 enterprise mobile devices shows that just a tiny percentage of them have been protected against the vulnerabilities -- and some simply may never be protected. Security firm Bridgeway found that just 4 percent of corporate phones and tablets in the UK have been patched against Spectre and Meltdown. Perhaps more worryingly, however, its research also found that nearly a quarter of enterprise mobile devices will never receive a patch because of their age. Organizations are advised to check for the availability of patches for their devices, and to install them as soon as possible. Older devices that will never be patched -- older than Marshmallow, for example -- should be replaced to ensure security, says Bridgeway.

16 of 104 comments (clear)

  1. Knock yourselves out, hax0rz by Seven+Spirals · · Score: 3, Insightful

    Uhm, my cell phone doesn't have Wifi or a TCP/IP stack of any kind and has some rinky dink Sharp processor running Symbian. You'll need to go stand at the cell tower if you want try hacking it. Good luck. Oh for computing? I use a fucking computer with a real keyboard that I can type 118 WPM on. Face it phones are for chumps. You ain't writing code on that little turd, you're consuming media.

    1. Re:Knock yourselves out, hax0rz by arglebargle_xiv · · Score: 2

      Even if the CPU is one of the vulnerable ones, a lot of embedded devices/mobile/whatever are fixed-function and so will never be vulnerable to an actual attack because the attacker can't get their software running on the device. I've got a pile of vulnerable hardware here that isn't going to get patched both because the vendors probably won't bother but also because there's no need to patch, they only do one thing and running third-party software isn't it.

    2. Re:Knock yourselves out, hax0rz by geekmux · · Score: 2

      Anyway who cares - most people will get a new phone. This is just noise to sue large corporations so lawyers can get cash.

      Most people don't have a damn clue what "meltdown" or "spectre" is, nor do they care. People will get a new phone only if they need a new phone for reasons other than having a vulnerable device. Security is about the last priority when it comes to phone hardware replacement.

      Best game in America now is using the court system to grab cash. Shoulda been a lawyer instead of an engineer.

      Not gonna argue with you there. The real problem with litigation running rampant through our legal system is the end result; a good chunk of our paycheck ends up going towards various flavors of this shit we call "insurance", and none of it is getting any cheaper.

  2. Patching = degrading by RhettLivingston · · Score: 4, Insightful

    Since installing patched software, I'm suddenly having to charge my phone (pixel) twice a day instead of just at night and the fan on my laptop (quad-core Intel processor / ubuntu 17.10) has been steadily running whereas before I could rarely hear it. It's very annoying.

    These "bugs" are going to end up being the biggest windfall processor manufacturers have seen in years. Unless these patches are radically improved, all of these devices are going to need to be replaced much sooner than planned.

    1. Re:Patching = degrading by RhettLivingston · · Score: 2

      Note that I've done no comprehensive analysis to make sure the patches are the problem and I'm pretty sure that my laptop has only received the Meltdown patch with Spectre yet to hit.

      I'm much more sure of the laptop issue being related to a kernel update (because I noticed it as soon as I rebooted) than the phone. But all of that is somewhat irrelevant.

      Fair or not, the minds of users are going to be focused on performance for a while and any performance issues over the next few months will likely be blamed on Meltdown/Spectre patches first.

  3. Re:What about game systems? by Gravis+Zero · · Score: 3, Informative

    I beleive that AMD devices are vulnerable too.

    AMD chips are only vulnerable to Specter which isn't nearly as valuable. Meltdown is the crown jewel of hardware flaws.

    --
    Anons need not reply. Questions end with a question mark.
  4. Poll method by manu0601 · · Score: 3, Informative

    Given the mess of patch availability, I wonder how they can sort the cases where patch is not installed, patch is not yet available, and patch will never be available

  5. Keep your best secrets off your networks by AHuxley · · Score: 2

    until the new CPU's are ready.
    Use existing junk devices to not talk about your projects, secrets.

    --
    Domestic spying is now "Benign Information Gathering"
  6. Re:Mobile devices with meltdown? by AC-x · · Score: 2

    Meltdown? On my smartphone? It's more likely than you think.

  7. Re:Meltdown by 110010001000 · · Score: 2

    The only ARM chip that is vulnerable to Meltdown is the not yet released A75 (co-designed by intel). Meltdown is an Intel bug.

  8. For enterprise devices does it matter? by SuperKendall · · Score: 4, Interesting

    These vulnerabilities only are problems if other software comes to be run on the system that is compromised, and able to target other apps running on the same device...

    For most enterprise devices, they aren't going to be having other apps installed. They probably aren't going to be running anything but company apps, the web browser if at all using company web pages. So it hardly matters if this security issue is present.

    On top of that, very probably for most mobile devices and especially older ones with little memory, most applications will be pushed out of memory quickly anyway so there's nothing to scan (and again it would have to be running as well because the vulnerabilities only let you see the contents of processor memory to begin).

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:For enterprise devices does it matter? by cccc828 · · Score: 2

      For most enterprise devices, they aren't going to be having other apps installed. They probably aren't going to be running anything but company apps, the web browser if at all using company web pages. So it hardly matters if this security issue is present.

      The problem is that running JavaScript is enough, see for example: https://webkit.org/blog/8048/what-spectre-and-meltdown-mean-for-webkit/. And most devices that do have a browser will at some point in time use it to access untrusted hosts...

    2. Re:For enterprise devices does it matter? by SuperKendall · · Score: 2

      Even were that true (see other response for reasons why it's probably not a viable attack vector) it SITLL means whatever else you are targeting has to be running simultaneously... have you RUN Chrome lately? Now imagine what else could possibly be running on a older mobile device with limited memory and CPU at the same time...

      --
      "There is more worth loving than we have strength to love." - Brian Jay Stanley
  9. Re: What about game systems? by Gravis+Zero · · Score: 2

    Percentage? it's 100% of x86 with speculative execution which is everything after 586. If it's x86 and made in the last two decades then it's vulnerable to Spectre. If it's x86 by Intel and made after 1995 then it's vulnerable to Meltdown. There are no percentages here.

    --
    Anons need not reply. Questions end with a question mark.
  10. Re: Android what a JOKE!! by Anonymous Coward · · Score: 2, Informative

    Not true. The oldest iOS device that's affected by this is the iPhone 5 (iPhones prior to that didn't do speculative execution), Apple released a patch for the 5 (and all later devices).

    As much as the parent poster tried to make this seem like a reason not to buy Apple, it really is a good reason to buy Apple. Every iOS device affected by these bugs has been patched, including 5 year old ones. There's likely Android devices STILL BEING SOLD that will never be patched.

  11. Older than Marshmallow??? by slashdot_commentator · · Score: 2

    Try older than Oreo. My Moto X is at Nougat, and I'm not holding my breath for Lenovo ever putting out a support patch for a phone that is over 2 years old. I'll just have to bork my phone to the latest LineageOS, or get a new one.

    --
    There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon