Spectre & Meltdown are arguably two of the biggest vulnerabilities in computing and certainly mobile history. These vulnerabilities have reportedly existed in nearly every computer chip delivered since the late 90s, on every operating system that runs on them and will likely enable a significant number of attacks in the coming months.
Spectre and Meltdown are part of a series of chip-level vulnerabilities that allow attackers to exploit some of the fundamental hardware features (specifically Intel, ARM, and AMD chips) that are core to the way that modern CPUs operate. This is a type of attack against speculative execution in processors. Speculative execution was designed to speed up performance by predicting or speculating what is going to happen in a program before it actually does.
These vulnerabilities can be exploited by any attacker who can execute code on a system (either through an installed app or, in some cases, through web-browsers). If successful, attackers are able to read memory that should normally be inaccessible to the app - whether that memory belongs to other programs, virtual machines, browser tabs, or the kernel itself. In accessing this memory, any sensitive information stored there (including passwords, authentication tokens, and confidential documents) is exposed to attackers.
Attackers can exploit these vulnerabilities on mobile devices through malicious apps and attacks through the mobile browser. Spectre and Meltdown impact components that are central to the way any computer operates, highlighting the fact that mobile devices are as vulnerable as any PC endpoint and in need of the same protection.
When exploited, Spectre and Meltdown will have characteristics are similar to Heartbleed in the ways they will expose sensitive information. Unlike Heartbleed, however, these vulnerabilities are potentially present on every device and cannot be completely patched, only mitigated against via a software update.
Android has not patched against the Meltdown or Spectre CVEs, (i.e., CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754). Rather, Android has initially opted to patch against CVE-2017-13218. The reason, according to Google, is this CVE patch, "reduces access to high-precision timers, which helps limit side channel attacks." In theory this should mitigate against Meltdown and Spectre for devices that are affected. The patches for Android are in the 2018-01-05 Android Security Patch Level release.
Attacks against these vulnerabilities affect both mobile and desktop platforms alike. Since the discoveries have been made public, operating system makers are rapidly working to mitigate the vulnerabilities via software patches, changing the system behavior to make it more difficult to trigger Spectre and Meltdown. However, there is no true fix for these vulnerabilities except to replace the chipset. At this point, non-vulnerable chipsets likely do not exist.
Patches are being made available for most operating systems to work around the hardware flaws. These patches are creating massive changes in the way memory has traditionally been handled by a PC or mobile operating system. These changes will require testing and could create significant performance impacts in many environments (with early estimates claiming a 5%-30% performance hit on some platforms).
Note that, the industry is not confident that all variants of attacks against speculative execution have been identified. Other similar attacks may emerge in the coming months that build upon this initial research.
The vulnerabilities were independently discovered by several academic institutions as well as Google's Project Zero. If an attacker uses Spectre or Meltdown as part of their attack chain, Lookout will detect the compromise of the device via associated malicious apps or websites. Customers can see which mobile devices in their employee base remain unpatched using Lookout Mobile Endpoint Security.
Interested in learning more about how Spectre and Meltdown impact mobile devices in your corporate today? Contact us today.
September 19, 2023
Google released a patch for a new zero-day vulnerability in Chrome tracked as CVE-2023-4863, which CISA also listed in their database.
September 18, 2023
September 20, 2023