Mobile mitigations for Meltdown and Spectre: A guide

Mobile mitigations for Meltdown and Spectre: A guide
Ojas Rege is Chief Marketing and Strategy Officer at MobileIron. He coined the term “Mobile First” on TechCrunch in 2007, one week after the launch of the first iPhone, to represent a new model of personal and business computing. He is co-inventor on eight mobility patents, including the enterprise app store and BYOD privacy. Ojas has been with MobileIron for ten years as the company has grown from an idea to a mobile security platform with over 16,000 enterprise customers. Ojas is a Fellow of the Ponemon Institute for information security policy and has written extensively on the implications of the evolving architectures of Android, iOS, and Windows on enterprise security. Prior to MobileIron, Ojas was responsible for the mobile product teams at Yahoo! and AvantGo and started his career in 1988 as product line manager at Oracle. Ojas has a BS/MS in Computer Engineering from M.I.T. and an MBA from Stanford University. He is also Board Chair for Pact, a non-profit in Oakland, California that provides adoption and education services for children of color and their families.

Meltdown and Spectre are two critical vulnerabilities recently identified in modern processors. These vulnerabilities can allow unprivileged users to access memory belonging to other processes, including the kernel.

Much of the initial coverage of these vulnerabilities centred on desktop, server, and cloud systems, but they affect mobile devices as well. Apple, Google, Linux distributions, and Microsoft are now releasing patches to mitigate these issues.

How the exploits work

Meltdown and Spectre are hardware vulnerabilities that allow a malicious process to gain unauthorized access to memory. Meltdown enables attackers to read the sensitive data of other processes or virtual machines. Spectre allows an attacker to induce a process to reveal data stored in its own memory.

Because both are hardware vulnerabilities, they can be exploited across operating systems, unless the operating system has taken specific steps to prevent them. 

Modern processors operate much faster than system memory (RAM), so they use a clever technique called ‘speculative execution’ to avoid waiting on RAM. Essentially a processor will guess the outcome of a calculation and proceed as though that is the correct answer until the actual outcome is available. When the actual calculation is finished the processor checks to see if its guess was correct. If not, it throws away the temporary work and tries again with the correct outcome.

And this is the critical bit; during speculative execution, all work is kept in a temporary space that is not supposed to be visible to programs running on the system. However, both Meltdown and Spectre can enable an attacker to identify which data the processor examined during speculative execution. Then, through a series of careful manipulations, an attacker can access the contents of memory.

Risk mitigation for mobile devices

Meltdown and Spectre, like WannaCry several months ago, reinforce the importance of keeping your software up to date. With WannaCry, proactive patching would have mitigated the risk for most companies. With Meltdown and Spectre, IT administrators should be ready to update their software asap when patches, many of which are now available, are released by the developer of the operating system.

Patch early, patch often

To avert similar widespread damage IT administrators should be ready to update their software as soon as the patches are available and not take the view that ‘it won’t happen to me’ because it does and it will.

In fact, with this in mind it important to patch early and patch often so as not to leave systems exposed. Most operating system vendors have already pushed out patches for the Meltdown flaw, while Apple’s Safari and Google’s Chrome have both been updated to mitigate many of the effects of Spectre.

Tiered device compliance

IT administrators should be leveraging their enterprise mobility management (EMM) solutions to identify vulnerable devices. An important component of EMM is tiered compliance, which helps IT administrators mitigate the risk of the Meltdown and Spectre flaws.

Using this capability, administrators can push out notifications to users to update their device to the desired operating system version. If the user doesn’t do this an administrator can either wipe company data from the device or block access to company servers. This protects data from being compromised before a device is patched.

Blocking malicious apps

Similarly, malicious apps need to be guarded against. Hackers are by definition a cunning breed and malware-loaded apps designed to exploit the Meltdown and Spectre processor flaws may already be on the drawing board. Am EMM solution can be configured to disable untrusted app stores, a path that many malicious apps take.  If you’re running an app reputation service, then you can also identify and blacklist ‘dodgy’ apps. 

Reducing password and data exposure

Finally, it’s important to note that these processor vulnerabilities can also be used to steal data, including passwords. Ensure that unmanaged or unpatched devices can’t access back-end services. This reduces exposure from compromised credentials by validating that the devices and apps accessing your infrastructure are secure, managed, and authorized.

Ongoing protection

Meltdown and Spectre are serious threats and have quite rightly generated panic across enterprises, chip vendors, and operating system providers.

Could better security-by-design principles and processes have prevented these vulnerabilities? Maybe. The only certain prediction is that there will continue to be unexpected vulnerabilities and exploits for as long as there are processors, software, and computers to attack. This is why the best defence is always a proactive approach to security – keep systems up to date and be prepared to quickly take mitigating actions when threats do appear. An enterprise mobility management (EMM) system is foundational to this defence.

Read more: Only 4% of enterprise mobile devices protected against Meltdown and Spectre vulnerabilities in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam and explore the future of enterprise technology.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *