There's no question we're still on high alert from Meltdown and Spectre. The fear and uncertainty has been unsettling for everyone, and it will take a while for things to calm down as patches are released — and recalled — for desktop operating systems. The month of March brought with it expanded patching efforts by Microsoft for the two flaws.
Mobile OS Differences
There's less talk of the situation on the mobile side. From a perception standpoint, things may seem more settled. But significant underlying risks remain, and mobile as a threat vector should definitely not be overlooked. Understanding Meltdown and Spectre developments specific to mobile is an important step toward proper defense.
For starters, mobile operating systems don't have the ability to make the "push-pull" types of patching moves we've seen for Meltdown and Spectre on traditional endpoints. Advice like "Push the patch out. No, roll it back because we found there might be some issues with performance" on the traditional endpoint side — that doesn't translate to mobile.
Meltdown/Spectre Patching Progress for Mobile
When it comes to iOS, Apple has released patches specifically for Meltdown and mitigations against Spectre. Sending out updates to Safari seems to be Apple's solution for how to handle Spectre. Google has followed suit with the same course of action to address both flaws.
There are specific challenges associated with how changes make their way through the Android ecosystem, however. Our company's global threat data consistently shows that well over two-thirds and — depending on timing — up to 80% of Android devices are running out-of-date operating systems. Meanwhile, our data shows about 25% to one-third of devices running iOS are using out-of-date versions.
Now that patches are out for Meltdown and Spectre, it's a matter of whether companies update their employees' devices and whether, on the Android side of things, the updates percolate all the way through the Android ecosystem.
For Better or Worse, Mobile Users Are in Control
One of the biggest differences between traditional and mobile endpoints is that there is no such thing as a patch management system when it comes to mobile. If you talk to enterprise IT security people, chances are they will tell you the single greatest security risk to a company is a carbon-based life form — aka, a human being. For traditional endpoints, you've got a patch management system and then centrally managed antivirus, centrally managed network firewalls, etc. All of these investments take IT control out of the hands of end users and give it to security pros, who are trained to defend against this weak (human) link in the security chain.
Mobile flips the model on its head. With mobile devices, you take the same users who make bad-enough mistakes as it is with all of the abovementioned network security precautions — and you give them full control over a small supercomputer (that is, their mobile device). You say, "You're the admin for it; you're responsible for deciding what networks you're going to go in and out of, what apps you're going to download, and, as your employer, I'm totally beholden to you to update your devices."
When it comes to getting protected, IT pros and companies should keep the following four tips in mind:
- For any device entering corporate networks, implement the ability to determine the OS version.
- Create a communication plan to encourage users to upgrade whenever new patches are available. Send this information out via email and text, and also in-line to out-of-date devices as they enter your network.
- Consider limiting or prohibiting access to certain key resources from out-of-date devices to encourage patching.
- Implement solutions that can detect exploit attempts, rogue Wi-Fi networks, and malicious apps.