On January 3rd, Google's Project Zero published a set of vulnerabilities named Spectre and Meltdown which affect Intel, AMD and ARM CPU models. These vulnerabilities allow a process running anywhere on the CPU to cross security boundaries, which enables it to read arbitrary memory of the kernel, or any other processes running on the same machine. Which means one simple thing: that process can now gain access to private data. How can this happen? By exploiting the CPU cache mechanism in one of 3 different ways:
- Variant 1: bounds check bypass (CVE-2017-5753)
- Variant 2: branch target injection (CVE-2017-5715)
- Variant 3: rogue data cache load (CVE-2017-5754)
The first 2 variants are named Spectre, and the last variant is named Meltdown.
According to ARM, a set of 10 modern processors are affected by at least one of the vulnerabilities. These processors are found at flagship devices such as Samsung S8, Google Pixel 2, OnePlus 5, as well as many other well-known vendors such as Sony Xperia, Xiomi, HTC, and many more.
The official statement from those responsible for Android states that they are unaware of any successful reproduction of these vulnerabilities in order to allow for unauthorized information access on any ARM-based Android device. Furthermore, a security patch was issued on January 1st of 2018 in order to make these vulnerabilities even harder to exploit.
As far as iOS devices are concerned, while Apple has acknowledged that all of its devices are vulnerable to the vulnerabilities, they too are unaware of any exploits that impact their customers. Additionally, as part of iOS 11.2, mitigations were issued for Meltdown, with an update for Safari that will mitigate the impact of Spectre to be released in the very near future.
The question now becomes: when will these vulnerabilities be removed from devices? And since these vulnerabilities are at the core of the modern processors cache mechanism, it will first be up to the aforementioned chip manufacturers to implement the changes in their CPUs. It will then be up to the phone makers to use non-vulnerable chips in their devices.
While no known exploits of the vulnerabilities have been proven out, we highly recommend applying the latest security patches that will render these vulnerabilities nearly impossible to exploit. Furthermore, since exploiting these vulnerabilities requires running code via a malicious app, it is important to only download and install apps from trusted stores such as the Google Play Store or Apple App Store.
For organizations that have mobile fleets that connect to company resources, Check Point SandBlast Mobile can further help protect your organization by ensuring that only up-to-date devices are allowed to connect to company resources, scanning apps for malicious contents, providing insight into system security configurations, and providing visibility of the state of security compliance of your mobile fleet.
If you would like to further protect your personal device, please download ZoneAlarm Mobile Security from either the Google Play Store or Apple App Store. It will provide you with alerts regarding your system security configurations, apps with malicious contents, and on iOS will alert you if your device is running on an unpatched system.