Mobile

4/30/2018
10:30 AM
JT Keating
JT Keating
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What Meltdown and Spectre Mean for Mobile Device Security

Here are four tips to keep your mobile users safe from similar attacks.

There's no question we're still on high alert from Meltdown and Spectre. The fear and uncertainty has been unsettling for everyone, and it will take a while for things to calm down as patches are released —  and recalled —  for desktop operating systems. The month of March brought with it expanded patching efforts by Microsoft for the two flaws.

Mobile OS Differences
There's less talk of the situation on the mobile side. From a perception standpoint, things may seem more settled. But significant underlying risks remain, and mobile as a threat vector should definitely not be overlooked. Understanding Meltdown and Spectre developments specific to mobile is an important step toward proper defense.  

For starters, mobile operating systems don't have the ability to make the "push-pull" types of patching moves we've seen for Meltdown and Spectre on traditional endpoints. Advice like "Push the patch out. No, roll it back because we found there might be some issues with performance" on the traditional endpoint side — that doesn't translate to mobile.

Meltdown/Spectre Patching Progress for Mobile
When it comes to iOS, Apple has released patches specifically for Meltdown and mitigations against Spectre. Sending out updates to Safari seems to be Apple's solution for how to handle Spectre. Google has followed suit with the same course of action to address both flaws.

There are specific challenges associated with how changes make their way through the Android ecosystem, however. Our company's global threat data consistently shows that well over two-thirds and — depending on timing — up to 80% of Android devices are running out-of-date operating systems. Meanwhile, our data shows about 25% to one-third of devices running iOS are using out-of-date versions.

Now that patches are out for Meltdown and Spectre, it's a matter of whether companies update their employees' devices and whether, on the Android side of things, the updates percolate all the way through the Android ecosystem.

For Better or Worse, Mobile Users Are in Control
One of the biggest differences between traditional and mobile endpoints is that there is no such thing as a patch management system when it comes to mobile. If you talk to enterprise IT security people, chances are they will tell you the single greatest security risk to a company is a carbon-based life form — aka, a human being. For traditional endpoints, you've got a patch management system and then centrally managed antivirus, centrally managed network firewalls, etc. All of these investments take IT control out of the hands of end users and give it to security pros, who are trained to defend against this weak (human) link in the security chain.     

Mobile flips the model on its head. With mobile devices, you take the same users who make bad-enough mistakes as it is with all of the abovementioned network security precautions —  and you give them full control over a small supercomputer (that is, their mobile device). You say, "You're the admin for it; you're responsible for deciding what networks you're going to go in and out of, what apps you're going to download, and, as your employer, I'm totally beholden to you to update your devices."

Stay Protected
When it comes to getting protected, IT pros and companies should keep the following four tips in mind:

  • For any device entering corporate networks, implement the ability to determine the OS version.
  • Create a communication plan to encourage users to upgrade whenever new patches are available. Send this information out via email and text, and also in-line to out-of-date devices as they enter your network.
  • Consider limiting or prohibiting access to certain key resources from out-of-date devices to encourage patching.
  • Implement solutions that can detect exploit attempts, rogue Wi-Fi networks, and malicious apps.

Related Content:

JT Keating, Vice President of Product Strategy at Zimperium, has brought software and mobile communications solutions to market for 25 years. Being passionate about security, he helped define and create multiple innovative approaches, including application whitelisting at ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BradleyRoss
50%
50%
BradleyRoss,
User Rank: Apprentice
5/4/2018 | 7:16:16 PM
New techniques are required
A number of people assume that virtual machines can't extract unauthorized data from other virtual machines on the server.  In the same way, they assume that virtual memory will stop one application from accessing the memory belonging to another application.  Spectre and Meltdown, together with problems with the Atom Tables for Microsoft Windows, are indications that these assumptions are no longer safe.  We need to either isolate applictions on systems completely with one application per computer system, or provide better protection between processing in a multi-processing environment.

A number of compilers can reduce the level of optimization by changing options.  Perhaps what we need are means to turn off optimization techniques such as look ahead pre-calculation on a per process basis to increase security.  As long as the reduced optimization is limited to processes that run less that five percent of the total cycles, the impact on performance may be minimal.
JTKeating
50%
50%
JTKeating,
User Rank: Author
5/1/2018 | 11:56:44 AM
Re: "Matter of whether companies update their employees' devices"
I completely agree, Ryan.  As I mentioned in the post, the lack of a patch management system for mobile forces us to tackle the problem a different way. As you mentioned, using policies (including deciding what users can and cannot access based on the OS level / risk of their device) is one way to drive users to the desired behavior. We have seen the difference. Some of our customers that don't enforce based on OS level have some users on version that are so old it is scary. For example, I have seen users on iOS 5... iOS is currently on 11.x! Thanks for the thoughts!
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
4/30/2018 | 10:59:53 PM
For those that offer mobile options
For those that offer mobile devices to their users, ensure that corporate policy dictates strict oversight of the device. This couple with an Enterprise Device Management system can be a saving grace in ubiquitous exposures such as this.
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
4/30/2018 | 10:57:29 PM
"Matter of whether companies update their employees' devices"
This point sticks out in my mind. The patches are available and the manufacturers can only make the suggestion but its the responsibility of the company to enforce compliance. Otherwise end users will non-functionality based updates like the plague.
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11471
PUBLISHED: 2018-05-25
Cockpit 0.5.5 has XSS via a collection, form, or region.
CVE-2018-11472
PUBLISHED: 2018-05-25
Monstra CMS 3.0.4 has Reflected XSS during Login (i.e., the login parameter to admin/index.php).
CVE-2018-11473
PUBLISHED: 2018-05-25
Monstra CMS 3.0.4 has XSS in the registration Form (i.e., the login parameter to users/registration).
CVE-2018-11474
PUBLISHED: 2018-05-25
Monstra CMS 3.0.4 has a Session Management Issue in the Administrations Tab. A password change at admin/index.php?id=users&action=edit&user_id=1 does not invalidate a session that is open in a different browser.
CVE-2018-11475
PUBLISHED: 2018-05-25
Monstra CMS 3.0.4 has a Session Management Issue in the Users tab. A password change at users/1/edit does not invalidate a session that is open in a different browser.