Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security Cellphones Operating Systems Privacy Software Hardware

Many Enterprise Mobile Devices Will Never Be Patched Against Meltdown, Spectre (betanews.com) 104

Mark Wilson shares a report from BetaNews: The Meltdown and Spectre bugs have been in the headlines for a couple of weeks now, but it seems the patches are not being installed on handsets. Analysis of more than 100,000 enterprise mobile devices shows that just a tiny percentage of them have been protected against the vulnerabilities -- and some simply may never be protected. Security firm Bridgeway found that just 4 percent of corporate phones and tablets in the UK have been patched against Spectre and Meltdown. Perhaps more worryingly, however, its research also found that nearly a quarter of enterprise mobile devices will never receive a patch because of their age. Organizations are advised to check for the availability of patches for their devices, and to install them as soon as possible. Older devices that will never be patched -- older than Marshmallow, for example -- should be replaced to ensure security, says Bridgeway.
This discussion has been archived. No new comments can be posted.

Many Enterprise Mobile Devices Will Never Be Patched Against Meltdown, Spectre

Comments Filter:
  • by Seven Spirals ( 4924941 ) on Tuesday January 16, 2018 @08:06PM (#55942977)
    Uhm, my cell phone doesn't have Wifi or a TCP/IP stack of any kind and has some rinky dink Sharp processor running Symbian. You'll need to go stand at the cell tower if you want try hacking it. Good luck. Oh for computing? I use a fucking computer with a real keyboard that I can type 118 WPM on. Face it phones are for chumps. You ain't writing code on that little turd, you're consuming media.
    • Also, the processor simply doesn't have branch prediction at all. So, I'm pretty damn sure it's immune. However, there aren't countermeasures for Stingray. So, if you are into crime take a page from the mob: don't be a dumbass that does bidness over the phone (or texting). If you don't avoid phones, it's just a matter of time before you are caught.
    • Even if the CPU is one of the vulnerable ones, a lot of embedded devices/mobile/whatever are fixed-function and so will never be vulnerable to an actual attack because the attacker can't get their software running on the device. I've got a pile of vulnerable hardware here that isn't going to get patched both because the vendors probably won't bother but also because there's no need to patch, they only do one thing and running third-party software isn't it.
  • by RhettLivingston ( 544140 ) on Tuesday January 16, 2018 @08:24PM (#55943071) Journal

    Since installing patched software, I'm suddenly having to charge my phone (pixel) twice a day instead of just at night and the fan on my laptop (quad-core Intel processor / ubuntu 17.10) has been steadily running whereas before I could rarely hear it. It's very annoying.

    These "bugs" are going to end up being the biggest windfall processor manufacturers have seen in years. Unless these patches are radically improved, all of these devices are going to need to be replaced much sooner than planned.

    • Note that I've done no comprehensive analysis to make sure the patches are the problem and I'm pretty sure that my laptop has only received the Meltdown patch with Spectre yet to hit.

      I'm much more sure of the laptop issue being related to a kernel update (because I noticed it as soon as I rebooted) than the phone. But all of that is somewhat irrelevant.

      Fair or not, the minds of users are going to be focused on performance for a while and any performance issues over the next few months will likely be blamed

  • by Anonymous Coward

    The OEM won't even acknowledge that they made the phone after two months so why do you expect they would get things like updates!

  • Poll method (Score:4, Informative)

    by manu0601 ( 2221348 ) on Tuesday January 16, 2018 @08:43PM (#55943157)
    Given the mess of patch availability, I wonder how they can sort the cases where patch is not installed, patch is not yet available, and patch will never be available
  • by AHuxley ( 892839 ) on Tuesday January 16, 2018 @08:56PM (#55943223) Journal
    until the new CPU's are ready.
    Use existing junk devices to not talk about your projects, secrets.
  • by SuperKendall ( 25149 ) on Tuesday January 16, 2018 @09:45PM (#55943431)

    These vulnerabilities only are problems if other software comes to be run on the system that is compromised, and able to target other apps running on the same device...

    For most enterprise devices, they aren't going to be having other apps installed. They probably aren't going to be running anything but company apps, the web browser if at all using company web pages. So it hardly matters if this security issue is present.

    On top of that, very probably for most mobile devices and especially older ones with little memory, most applications will be pushed out of memory quickly anyway so there's nothing to scan (and again it would have to be running as well because the vulnerabilities only let you see the contents of processor memory to begin).

    • by cccc828 ( 740705 )

      For most enterprise devices, they aren't going to be having other apps installed. They probably aren't going to be running anything but company apps, the web browser if at all using company web pages. So it hardly matters if this security issue is present.

      The problem is that running JavaScript is enough, see for example: https://webkit.org/blog/8048/what-spectre-and-meltdown-mean-for-webkit/ [webkit.org]. And most devices that do have a browser will at some point in time use it to access untrusted hosts...

      • Even were that true (see other response for reasons why it's probably not a viable attack vector) it SITLL means whatever else you are targeting has to be running simultaneously... have you RUN Chrome lately? Now imagine what else could possibly be running on a older mobile device with limited memory and CPU at the same time...

    • I don't know where you work, but my current company and the one before, nearly everyone with a corporate phone installed multiple apps, especially games. They also browsed to what they wanted to.
  • by slashdot_commentator ( 444053 ) on Tuesday January 16, 2018 @10:40PM (#55943613) Journal

    Try older than Oreo. My Moto X is at Nougat, and I'm not holding my breath for Lenovo ever putting out a support patch for a phone that is over 2 years old. I'll just have to bork my phone to the latest LineageOS, or get a new one.

  • C O N S U M E !

  • So is production halted, or are the new devices and processors already adapted? They know there us an issue, so are they still selling and producing these faulty items?
    Talking about the chip manufacturers, not hardware ones.

    • by fintux ( 798480 )

      The chip manufacturers have known about the issues already for more than six months (and also many hardware manufacturers have been aware for quite some time), but they've just kept selling hardware they knew was 1) vulnerable and 2) soon about to become somewhat slower, or much slower (in case of Intel).

      Perhaps they've been designing some new hardware based on this, but I don't think they're going to change the current ones, except for shipping with newer microcode (in case of CPUs) or patched software (in

  • Never mind that, my 1-year-old moto^H^H^H^HLenovo handset still hasn't been patched for the 3-months-old Krack vulnerability, which is way more readily exploitable. And the irony is that I bought that particular brand specifically because it used to have a good track record with patching (before it was taken over...)

    Is it even possible to a buy mobile phone with a close-to-vanilla android install that has a realistic prospect of lasting more than a couple of years and get timely patches? I guess this whole

  • To compromise something like, for example, account credentials, you still have to execute *code* on the computer that takes advantage of the vulnerabilities.

    Many (most?) older "enterprise" non-phone devices (think WinCE, Windows Embedded Handheld 8, and yes, Android whatever version) are locked down to a single application anyway, with the users not allowed to install other applications (thus preventing the devices from running the malicious code).

    Serious enterprises do MDM and lock down phones. Even withou

Imagination is more important than knowledge. -- Albert Einstein

Working...