Meltdown and Spectre affect the smartphone in your pocket. Should you be worried?

Android and iOS devices are vulnerable to the latest hardware security flaw, and not all are easily patched. The good news: Exploits are hard (maybe) and so far none are known.

meltdown spectre
Project Zero

The Spectre of broken silicon will haunt smartphone security for years to come. The Meltdown and Spectre security flaws affect both iOS devices, including iPhones and iPads, as well as Android smartphones, tablets, and other devices.

While exploits have yet to be seen in the wild, researchers have confirmed that the attacks can be deployed using Javascript—meaning simply visiting the wrong web page could infect a device. “Analysis of these techniques revealed that…they can be potentially exploited in Javascript running in a web browser,” Apple concluded.

The news isn't all bad, however. Apple issued iOS security patches in December, and plans to issue further security patches in the next few days. Unless you're carrying an ancient iPhone, installing the security patches will protect your device. Users of older devices are out of luck, however, and are vulnerable to these and other security flaws, and should consider upgrading their device ASAP.

Likewise, Google has issued security patches for stock Android devices. Google Pixel/Nexus device owners should already be protected. However, Google only guarantees security patches for Pixel/Nexus devices for three years. If you've got an older device, you're out of luck.

The rest of Android users should probably just cringe in horror in a dark corner, as third-party OEM handset makers--like Samsung, OnePlus, and Motorola--are notoriously sluggish in pushing security patches to devices. "I know my iPhone and Nexus 5X will get this patch," says Beau Woods, a security researcher at I Am the Cavalry, and a cyber safety innovation fellow with the Atlantic Council, "but if I've got something else, I don't know if it's going to be updated."

"If it is [updated]," he adds, "it's going to take a long time, from Google pushing an update, to Samsung [or other third-party OEM vendor] putting it in an update, and the carrier pushing it to users' phones." Around a billion Android smartphones around the world see infrequent to no security patches, and those users are now vulnerable to these attacks. That number is not likely to dip significantly for some time to come.

Apart from Google Pixel/Nexus devices, Android security patching is so bad that Meltdown and Spectre are the least of Android users’ worries.

One billion Android devices served (poorly)

The raging Android security dumpster fire is not news, of course. Market incentives drive third-party Android vendors to "ship it and forget it." There's no profit in providing end users with timely security patches, and, absent government regulation, that is not likely to change any time soon.

Worse, Google has little leverage to compel OEM Android vendors to ship upstream security patches, because Android is open source. The biggest stick Google wields over third-party handset makers is access to the Google Play Store, which most consumers want. As Amazon has demonstrated with its Android-based Kindle platform, though, there’s nothing stopping OEMs from using stock Android and building their own app store.

Google’s move in recent years to push core Android components into the Play Store looks a lot like an attempt to gain stronger leverage over Android licensees, but no sign yet of the company pressuring OEMs to push security patches in a more timely fashion. That means those billion Android users are going to be sitting ducks for the inevitable Meltdown and Spectre exploits.

But I thought Meltdown and Spectre were hard to exploit

The last two days have seen Google and Apple repeat the mantra that smartphone users shouldn't be worried. No exploits have been spotted in the wild yet, and these vulnerabilities are "extremely difficult to exploit" (Apple), and "On the Android platform, exploitation has been shown to be difficult and limited on the majority of Android devices" (Google).

The problem with exploits, they're "solve once, run anywhere." Won't be long before an exploit circulates and garden-variety criminals with poisoned Javascript rampage across the internet. "The attention surrounding these bugs will lead to many public exploits for them," says Dan Guido, CEO, Trail of Bits. "Even if an exploit for Android is 'hard,' it will be done to prove that it can. I think we're going to see Spectre pop up in many unexpected places over the next few weeks and months.”

Woods agrees. "The time between proof-of-concept to use in the wild is usually pretty short," he says. "It's a general trend that capabilities available to nation-state adversaries today are available to common criminals in quick succession, shorter than the useful lifespan of a lot of the devices we use."

Guess that's why they called the vulnerability "Spectre."

In-order efficiency cores in some Android phones

Many Android phones contain both in-order efficiency cores, which are not vulnerable to speculative execution attacks like Meltdown and Spectre, as well as performance cores with speculative loading execution of code that are vulnerable. One solution, Daniel Micay, CTO of the security-focused Copperhead Android distribution, suggests, is to pin untrusted code to the in-order efficiency cores.

"For example," he says, "Snapdragon 810 in Nexus 6P has 4x cortex a53 (not vulnerable) and 4x cortex a57 (vulnerable to Spectre, not standard Meltdown, but ARM says they found another Meltdown variant that may impact more CPUs). But if you were willing to lose a lot of performance, you could disable performance cores or pin affinity of untrusted processes to efficiency cores."

No word yet from third-party OEMs on what security mitigations they plan to deploy, if any. Last week CSO Online reached out to numerous vendors, but none have responded so far.

One brightish spot: Micay points that out that bargain basement Android handsets are unlikely to contain expensive CPUs that do speculative execution. Then again, lower-end handsets are probably not getting other security patches either, making hardware attacks like these the least of your worries.

Apple Watch users, rejoice

If you're One of The Chosen, you are safe. Apple's watchOS seems invulnerable to both Meltdown and Spectre. No hauntings for you.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.