Many Enterprise Mobile Devices Will Never Be Patched Against Meltdown, Spectre (betanews.com) 104
Mark Wilson shares a report from BetaNews: The Meltdown and Spectre bugs have been in the headlines for a couple of weeks now, but it seems the patches are not being installed on handsets. Analysis of more than 100,000 enterprise mobile devices shows that just a tiny percentage of them have been protected against the vulnerabilities -- and some simply may never be protected. Security firm Bridgeway found that just 4 percent of corporate phones and tablets in the UK have been patched against Spectre and Meltdown. Perhaps more worryingly, however, its research also found that nearly a quarter of enterprise mobile devices will never receive a patch because of their age. Organizations are advised to check for the availability of patches for their devices, and to install them as soon as possible. Older devices that will never be patched -- older than Marshmallow, for example -- should be replaced to ensure security, says Bridgeway.
Re: (Score:2)
I beleive that AMD devices are vulnerable too.
Re:What about game systems? (Score:4, Informative)
I beleive that AMD devices are vulnerable too.
AMD chips are only vulnerable to Specter which isn't nearly as valuable. Meltdown is the crown jewel of hardware flaws.
Re: What about game systems? (Score:1)
Yeah, but the beta news article does nothing to lead me to believe that there's any check if vulnerability for the 100,000 devices analyzed.
I'm curious what percentage of the too old ones are actually vulnerable?
What percentage of the rest?
They didn't link to a source, and they never said the analysis was of vulnerable devices.
Re: (Score:3)
Percentage? it's 100% of x86 with speculative execution which is everything after 586. If it's x86 and made in the last two decades then it's vulnerable to Spectre. If it's x86 by Intel and made after 1995 then it's vulnerable to Meltdown. There are no percentages here.
Re: (Score:1)
Yeah, I misread, or posted on the wrong comment.
The article still makes me wonder how many enterprise mobile devices are actually vulnerable, almost certainly very few of the too old to be patched set.
Re: (Score:1)
It looks like they released the patch to phones that weren't affected.
http://allaboutwindowsphone.co... [allaboutwindowsphone.com]
Re: (Score:2)
The early Intel Atoms aren't vulnerable as they didn't do speculative execution and are closer to 10 years old.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
Use your head. The only password truly vulnerable is the one to the Xbox account. You don't need to bork the console to just make it harder for a login sequence be vulnerable to a cache read.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Some ARM CPUs are also vulnerable [techarp.com].
Re: (Score:3)
Re: (Score:2)
they could be using intel chipped phones.
though I really doubt it. never sold well.
also, ANY older than marshmallow phone has probably a dozen ways to gain root on it, so it doesn't even matter.
Knock yourselves out, hax0rz (Score:3, Insightful)
Re: (Score:1)
Re: (Score:3)
Anyway who cares - most people will get a new phone. This is just noise to sue large corporations so lawyers can get cash.
Most people don't have a damn clue what "meltdown" or "spectre" is, nor do they care. People will get a new phone only if they need a new phone for reasons other than having a vulnerable device. Security is about the last priority when it comes to phone hardware replacement.
Best game in America now is using the court system to grab cash. Shoulda been a lawyer instead of an engineer.
Not gonna argue with you there. The real problem with litigation running rampant through our legal system is the end result; a good chunk of our paycheck ends up going towards various flavors of this shit we call "insurance", and none
Re: (Score:3)
Re: (Score:2)
I thought most ARM CPUs were not vulnerable, or at least not to any significant extent.
Also, it's not true that these devices will never get patches. They might not get them from the manufacturer, but if they are running Android they will get them from the Play store. Previously Google has mitigated similar issues that way.
Re: Knock yourselves out, hax0rz (Score:2)
Can Google patch kernels via the Play Store?
Re: (Score:2)
No, that's why they moved everything they could move out of the kernel.
Remember that Android runs SELinux and apps are heavily sandboxed, so there is a lot more they can do to control them without needing to patch the kernel.
Re: Knock yourselves out, hax0rz (Score:2)
So they can patch the vulnerability we're talking about here then?
Re: (Score:2)
Yes, it looks like they can effectively mitigate it. If it was Meltdown they would be screwed, but that doesn't affect these CPUs.
Re: Knock yourselves out, hax0rz (Score:2)
I can't see any mention of a mitigation via the Play Store https://9to5google.com/2018/01... [9to5google.com] and manufacturers seem to be rolling out patches for some but not all devices.
Re: (Score:2)
Those are OS updates for Google phones, not Play updates.
If you look at what is required to mitigate Spectre, you can see that a kernel update isn't required. At the moment there is no known practical attack using Spectre anyway.
Re: Knock yourselves out, hax0rz (Score:2)
Link?
Re: (Score:2)
https://meltdownattack.com/#fa... [meltdownattack.com]
Check the stuff relevant to Spectre.
Re: Knock yourselves out, hax0rz (Score:2)
There's nothing in there about Google Play and the security advisory only talks about updating to the latest version of Android. It's appalling that there are phones being sold today that will always be vulnerable to this attack.
Re: (Score:1)
so it's taken since the late 1970's to complete your website? mebbe you should have used a PC instead of your phone! ;->
Re: (Score:2)
Actually you can. But you're going to lose all those proprietary blobs of binary used to run the camera or manage your phone call packets to audio.
Re: (Score:3)
Meltdown? On my smartphone? It's more likely than you think [techarp.com].
Patching = degrading (Score:5, Insightful)
Since installing patched software, I'm suddenly having to charge my phone (pixel) twice a day instead of just at night and the fan on my laptop (quad-core Intel processor / ubuntu 17.10) has been steadily running whereas before I could rarely hear it. It's very annoying.
These "bugs" are going to end up being the biggest windfall processor manufacturers have seen in years. Unless these patches are radically improved, all of these devices are going to need to be replaced much sooner than planned.
Re: (Score:3)
Note that I've done no comprehensive analysis to make sure the patches are the problem and I'm pretty sure that my laptop has only received the Meltdown patch with Spectre yet to hit.
I'm much more sure of the laptop issue being related to a kernel update (because I noticed it as soon as I rebooted) than the phone. But all of that is somewhat irrelevant.
Fair or not, the minds of users are going to be focused on performance for a while and any performance issues over the next few months will likely be blamed
Re: (Score:2)
0%. Intel products all have meltdown, with the possible exception of some old Atom products and stuff from 1995 and earlier.
The most likely explanation is that you already have the patch to mitigate meltdown.
Well like most Anroid devices (Score:1)
The OEM won't even acknowledge that they made the phone after two months so why do you expect they would get things like updates!
Poll method (Score:4, Informative)
Keep your best secrets off your networks (Score:3)
Use existing junk devices to not talk about your projects, secrets.
For enterprise devices does it matter? (Score:5, Interesting)
These vulnerabilities only are problems if other software comes to be run on the system that is compromised, and able to target other apps running on the same device...
For most enterprise devices, they aren't going to be having other apps installed. They probably aren't going to be running anything but company apps, the web browser if at all using company web pages. So it hardly matters if this security issue is present.
On top of that, very probably for most mobile devices and especially older ones with little memory, most applications will be pushed out of memory quickly anyway so there's nothing to scan (and again it would have to be running as well because the vulnerabilities only let you see the contents of processor memory to begin).
Re: (Score:2)
The problem is that running JavaScript is enough, see for example: https://webkit.org/blog/8048/what-spectre-and-meltdown-mean-for-webkit/ [webkit.org]. And most devices that do have a browser will at some point in time use it to access untrusted hosts...
Re: (Score:3)
Even were that true (see other response for reasons why it's probably not a viable attack vector) it SITLL means whatever else you are targeting has to be running simultaneously... have you RUN Chrome lately? Now imagine what else could possibly be running on a older mobile device with limited memory and CPU at the same time...
Re: (Score:2)
Re: (Score:2)
Older than Marshmallow??? (Score:3)
Try older than Oreo. My Moto X is at Nougat, and I'm not holding my breath for Lenovo ever putting out a support patch for a phone that is over 2 years old. I'll just have to bork my phone to the latest LineageOS, or get a new one.
Re: (Score:2)
I don't see the point in splitting hairs. All current ARM chips are probably vulnerable to SPECTRE, and possibly MELTDOWN.
Re: (Score:2)
The last Moto security patch that Lenovo pushed out was the 12/2016 patch for Marshmallow. Lenovo has put out the Nougat upgrade (7.0, not 7.1), which is supposedly patched out to 9/2017, so its safe from KRACK(?), Heartbleed, etc., but obviously not SPECTRE. (Meltdown?)
CONSUME! (Score:2)
C O N S U M E !
Re: (Score:2)
Re: (Score:1)
C O N S U M E !
O B E Y !
Re: (Score:2)
Re: (Score:1)
The chip manufacturers have known about the issues already for more than six months (and also many hardware manufacturers have been aware for quite some time), but they've just kept selling hardware they knew was 1) vulnerable and 2) soon about to become somewhat slower, or much slower (in case of Intel).
Perhaps they've been designing some new hardware based on this, but I don't think they're going to change the current ones, except for shipping with newer microcode (in case of CPUs) or patched software (in
Re: (Score:2)
This is overblown (Score:2)
To compromise something like, for example, account credentials, you still have to execute *code* on the computer that takes advantage of the vulnerabilities.
Many (most?) older "enterprise" non-phone devices (think WinCE, Windows Embedded Handheld 8, and yes, Android whatever version) are locked down to a single application anyway, with the users not allowed to install other applications (thus preventing the devices from running the malicious code).
Serious enterprises do MDM and lock down phones. Even withou
Re: (Score:2, Informative)
Not true. The oldest iOS device that's affected by this is the iPhone 5 (iPhones prior to that didn't do speculative execution), Apple released a patch for the 5 (and all later devices).
As much as the parent poster tried to make this seem like a reason not to buy Apple, it really is a good reason to buy Apple. Every iOS device affected by these bugs has been patched, including 5 year old ones. There's likely Android devices STILL BEING SOLD that will never be patched.
Re: (Score:1)
Incorrect - the iPhone 5 is the oldest iOS device with a CPU that does speculative execution, and it has been patched.