How do Meltdown and Specter vulnerabilities affect your smartphone?

The 2018 Chipocalypse has affected not only Windows and Linux, as mentioned at the beginning. Devices with iOS and Android are also under threat. And if sysadmins and competent PC users are at least somehow preparing for an attack, even if morally, the owners of smartphones do not seem to think that their passwords and other information can be accessed. How do Apple and Google react to the most serious vulnerability of processors in all the decades of their existence, and what can we do?

What are we talking about

If someone just got out of hibernation and missed the main IT-news of 2018, excellent reviews for Meltdown and for Specter on GT did Oleg Artamonov. In short, these are vulnerabilities affecting almost all processors released in the last twenty years (all chips with Intel, AMD, ARM cores). During the speculative execution of the operations necessary to improve performance, the chip potentially opens up access to data for those processes that should not have received them.

The Verge draws the analogy of Meltdown with the bank:

In the center of the bank is a safe with a password. Next to him sits a guard with a gun. If you enter and open the safe, they kill you. In the parallel dimension, you enter the bank and they kill you, but you have time to look in the safe and shout out the password. And in this dimension, you hear a scream with this password, and access the data. Even in spite of the fact that you never entered the bank.

The vulnerability of Meltdown and Specter relate to the processor cores, that is, this is an iron problem. But when (or if) a malicious program is made for them, it will receive access to this vulnerability — as well as your passwords and encrypted information — through software. You cannot buy a new "invulnerable" iron, it does not exist (except for quite old phones released at the turn of the century), so the only way to protect yourself is to follow the developers of operating systems and their recommendations.

On iOS

Apple released its response on Thursday, the very next day after reporters released information about the presence of hardware vulnerabilities in microprocessors. She confirmed that all Macs and iOS devices are affected by this problem. So far there are no working exploits, but users are once again recommended to download applications only from trusted sources (App Store) and not to visit potentially dangerous sites - attacks are possible through JavaScript.

A team of researchers who discovered Meltdown and Specter informed all major manufacturers of software and hardware as early as July, and for Windows 10 in November, they even released a patch trying to reduce the threat. Apple has also released such a patch - iOS 11.2.1, in December. The patch is designed to fight with Meltdown, and if you have already updated the device to this version (it is available from December), attacks from this side can not yet be afraid. Judging by the tests GeekBench 4, JetStream and Speedometer, the system performance when installing the patch is not reduced.

Against Specter protection yet. But the good news is that it will be an order of magnitude more difficult for attackers to develop scripts for it, even for applications that run locally on the iPhone or iPad. A potential exploit can only sit down in a browser with JavaScript (and only theoretically). To counteract this, Apple is working on an update for Safari for iOS and macOS. The company promises that the slowdown will be less than 2.5%.

Apple Watch uses a different type of processor, and the Meltdown and Specter vulnerabilities are not initially susceptible.

On Android

Android users are at greater risk. Google was one of those who found a vulnerability in the chips, and was the first to work on fixing it. She managed to develop several patches , in particular - for Android-devices with ARM processors. And released them for their partners back in December. But each individual smartphone developer will not be able to quickly develop and release an update for his firmware. In addition, the patches are far from all chips, and for most devices there is no solution yet.

Intel processors are all susceptible, almost all ARM cores (from Cortex-A53 and up) are exposed. Corruption-A15, Cortex A-17, Cortex A-72, Cortex-A75 vulnerabilities were confirmed, and these are Exynos 5, Exynos 7, Qualcomm Snapdragon 650, 652, 653, 808 and 810 processors, Mediatek Helio X20. Samsung, LG, HTC, Xiaomi, Meizu and others - for attacks through Meltdown and Specter, their devices are still open.

The most annoying - according to ARM, in the category of "vulnerable" were processors with the architecture of Cortex-A73. And this Snapdragon 835, inserted into most of the flagship smartphones of 2017: Galaxy S8, S8 +, Note 8, Google Pixel 2, OnePlus 5 and so on. The same applies to the flagships of 2015 with a Snapdragon 810 processor, which is the core Cortex-A57. That is, the more expensive your smartphone is, the higher the chance that it is subject to attack.

The good news is that if you have a smartphone or tablet with ARM cores, which are not mentioned above, and the developer of your device on a short foot with Google, and you put the latest updates, you should be safe. You can go to Internet banking without fear and enter passwords from payment systems. Plus, Google says it has developed a Specter Retpoline patch that doesn’t slow down the system. She is already working in the company's products, and should help other manufacturers.

What can be done

So far, even large IT corporations are confused. Nobody has an elegant solution - perhaps, for a full guarantee, you will have to wait for the release of processors with a new architecture. And this is more than a year: the current processors are already in development, and ARM and Intel are not going to remove them from the pipeline. So far, our security is in our own hands. There are a few (fairly obvious) rules to follow:

1. Deliver all updates from your manufacturer.

We may not say what exactly is contained in the update. So, for example, made Microsoft for Windows 10, so as not to cause panic, and also "quietly" tried to update Linux. For smartphones and tablets, this is even more important. The developer of your device should release the patch literally this week (if he hasn’t already done so). And, most likely, more than one protective patch will be released after this - as new solutions will be found. System performance may be reduced by 5-30%, but in fact you will not notice. The most powerful applications and games use little system calls, and the speed drop in them should not exceed 3%.

For Apple smartphones, security updates were released in December, for Samsung they haven’t been yet (the updates dealt with other aspects), but they are expected in January. Google devices, including Nexus 5X, Nexus 6P, Pixel C, Pixel, Pixel 2, received updates.

Be sure to upgrade your browser.

2. Be careful with installing new applications.

The presence of a patch [yet] does not guarantee anything. The patch, even if it is suitable for your processor, only complicates the use of Specter and Meltdown for hacking the device. And here we must understand that if an exploit that breaks down a smartphone is still created, it will almost certainly come out as an application. Any running application has access to the processor during operation, and that’s all it takes to take advantage of the vulnerability. JavaScript in the browser is also locally executed code, but the new Chrome, Firefox and Safari have already made it extremely difficult to use when attacking. If you do not download unverified applications, especially the APK from third-party sites, the chances of “catching up” the exploit are seriously reduced.

Put the antivirus, especially if you have Android. Always check who uploaded the app on the App Store or on Google Play. Do not download extra tools. Practical implementation of the malware is extremely difficult, and, most likely, banks and corporations will attack, but not our passwords from GT and Telegram in smartphones. But the probability remains, and on our head there are already enough malware in smartphones and tablets. In 2017, 90 million viruses were found in the world, and, judging from the news of this week, this year threatens to become even worse. Especially in connection with the latest predictions that hacker attacks in 2018 will lead the AI. So says 62% of the top information security experts polled by Cylance.

For Intel, by the way, the current situation may well turn into a profit: chips that do not contain these vulnerabilities, which will be released in a couple of years, will be in demand more than ever. The hardest of all. Companies have to Microsoft and Amazon - their giant cloud services (AWS, Azure) and virtual machines are under great threat, and if some hackers try to “straddle” Specter and Meltdown, one of the first attacks will be logical to send to them.

PS

New gadgets from the United States can take through us. Including a completely secure Apple Watch with a proprietary processor. 30-40% cheaper than in the Russian Federation, because without the "Mikhalkov Tax" and other duties. Readers who, after registering, enter the code GEEKTIMES, get $ 7 to the account.