Credit: Project Zero
The Spectre of broken silicon will haunt smartphone security for years to come. The Meltdown and Spectre security flaws affect both iOS devices, including iPhones and iPads, as well as Android smartphones, tablets, and other devices.
While exploits have yet to be seen in the wild, researchers have confirmed that the attacks can be deployed using Javascript—meaning simply visiting the wrong web page could infect a device. “Analysis of these techniques revealed that…they can be potentially exploited in Javascript running in a web browser,” Apple concluded.
The news isn't all bad, however. Apple issued iOS security patches in December, and plans to issue further security patches in the next few days. Unless you're carrying an ancient iPhone, installing the security patches will protect your device. Users of older devices are out of luck, however, and are vulnerable to these and other security flaws, and should consider upgrading their device ASAP.
Likewise, Google has issued security patches for stock Android devices. Google Pixel/Nexus device owners should already be protected. However, Google only guarantees security patches for Pixel/Nexus devices for three years. If you've got an older device, you're out of luck.
The rest of Android users should probably just cringe in horror in a dark corner, as third-party OEM handset makers--like Samsung, OnePlus, and Motorola--are notoriously sluggish in pushing security patches to devices. "I know my iPhone and Nexus 5X will get this patch," says Beau Woods, a security researcher at I Am the Cavalry, and a cyber safety innovation fellow with the Atlantic Council, "but if I've got something else, I don't know if it's going to be updated."
"If it is [updated]," he adds, "it's going to take a long time, from Google pushing an update, to Samsung [or other third-party OEM vendor] putting it in an update, and the carrier pushing it to users' phones." Around a billion Android smartphones around the world see infrequent to no security patches, and those users are now vulnerable to these attacks. That number is not likely to dip significantly for some time to come.
Apart from Google Pixel/Nexus devices, Android security patching is so bad that Meltdown and Spectre are the least of Android users’ worries.
One billion Android devices served (poorly)
The raging Android security dumpster fire is not news, of course. Market incentives drive third-party Android vendors to "ship it and forget it." There's no profit in providing end users with timely security patches, and, absent government regulation, that is not likely to change any time soon.
Worse, Google has little leverage to compel OEM Android vendors to ship upstream security patches, because Android is open source. The biggest stick Google wields over third-party handset makers is access to the Google Play Store, which most consumers want. As Amazon has demonstrated with its Android-based Kindle platform, though, there’s nothing stopping OEMs from using stock Android and building their own app store.
Google’s move in recent years to push core Android components into the Play Store looks a lot like an attempt to gain stronger leverage over Android licensees, but no sign yet of the company pressuring OEMs to push security patches in a more timely fashion. That means those billion Android users are going to be sitting ducks for the inevitable Meltdown and Spectre exploits.
But I thought Meltdown and Spectre were hard to exploit
The last two days have seen Google and Apple repeat the mantra that smartphone users shouldn't be worried. No exploits have been spotted in the wild yet, and these vulnerabilities are "extremely difficult to exploit" (Apple), and "On the Android platform, exploitation has been shown to be difficult and limited on the majority of Android devices" (Google).
The problem with exploits, they're "solve once, run anywhere." Won't be long before an exploit circulates and garden-variety criminals with poisoned Javascript rampage across the internet. "The attention surrounding these bugs will lead to many public exploits for them," says Dan Guido, CEO, Trail of Bits. "Even if an exploit for Android is 'hard,' it will be done to prove that it can. I think we're going to see Spectre pop up in many unexpected places over the next few weeks and months.”
Woods agrees. "The time between proof-of-concept to use in the wild is usually pretty short," he says. "It's a general trend that capabilities available to nation-state adversaries today are available to common criminals in quick succession, shorter than the useful lifespan of a lot of the devices we use."
Guess that's why they called the vulnerability "Spectre."
Apple Watch users, rejoice
If you're One of The Chosen, you are safe. Apple's watchOS seems invulnerable to both Meltdown and Spectre. No hauntings for you.