Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

4/30/2018
10:30 AM
JT Keating
JT Keating
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What Meltdown and Spectre Mean for Mobile Device Security

Here are four tips to keep your mobile users safe from similar attacks.

There's no question we're still on high alert from Meltdown and Spectre. The fear and uncertainty has been unsettling for everyone, and it will take a while for things to calm down as patches are released —  and recalled —  for desktop operating systems. The month of March brought with it expanded patching efforts by Microsoft for the two flaws.

Mobile OS Differences
There's less talk of the situation on the mobile side. From a perception standpoint, things may seem more settled. But significant underlying risks remain, and mobile as a threat vector should definitely not be overlooked. Understanding Meltdown and Spectre developments specific to mobile is an important step toward proper defense.  

For starters, mobile operating systems don't have the ability to make the "push-pull" types of patching moves we've seen for Meltdown and Spectre on traditional endpoints. Advice like "Push the patch out. No, roll it back because we found there might be some issues with performance" on the traditional endpoint side — that doesn't translate to mobile.

Meltdown/Spectre Patching Progress for Mobile
When it comes to iOS, Apple has released patches specifically for Meltdown and mitigations against Spectre. Sending out updates to Safari seems to be Apple's solution for how to handle Spectre. Google has followed suit with the same course of action to address both flaws.

There are specific challenges associated with how changes make their way through the Android ecosystem, however. Our company's global threat data consistently shows that well over two-thirds and — depending on timing — up to 80% of Android devices are running out-of-date operating systems. Meanwhile, our data shows about 25% to one-third of devices running iOS are using out-of-date versions.

Now that patches are out for Meltdown and Spectre, it's a matter of whether companies update their employees' devices and whether, on the Android side of things, the updates percolate all the way through the Android ecosystem.

For Better or Worse, Mobile Users Are in Control
One of the biggest differences between traditional and mobile endpoints is that there is no such thing as a patch management system when it comes to mobile. If you talk to enterprise IT security people, chances are they will tell you the single greatest security risk to a company is a carbon-based life form — aka, a human being. For traditional endpoints, you've got a patch management system and then centrally managed antivirus, centrally managed network firewalls, etc. All of these investments take IT control out of the hands of end users and give it to security pros, who are trained to defend against this weak (human) link in the security chain.     

Mobile flips the model on its head. With mobile devices, you take the same users who make bad-enough mistakes as it is with all of the abovementioned network security precautions —  and you give them full control over a small supercomputer (that is, their mobile device). You say, "You're the admin for it; you're responsible for deciding what networks you're going to go in and out of, what apps you're going to download, and, as your employer, I'm totally beholden to you to update your devices."

Stay Protected
When it comes to getting protected, IT pros and companies should keep the following four tips in mind:

  • For any device entering corporate networks, implement the ability to determine the OS version.
  • Create a communication plan to encourage users to upgrade whenever new patches are available. Send this information out via email and text, and also in-line to out-of-date devices as they enter your network.
  • Consider limiting or prohibiting access to certain key resources from out-of-date devices to encourage patching.
  • Implement solutions that can detect exploit attempts, rogue Wi-Fi networks, and malicious apps.

Related Content:

JT Keating, Vice President of Product Strategy at Zimperium, has brought software and mobile communications solutions to market for 25 years. Being passionate about security, he helped define and create multiple innovative approaches, including application whitelisting at ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BradleyRoss
50%
50%
BradleyRoss,
User Rank: Moderator
5/4/2018 | 7:16:16 PM
New techniques are required
A number of people assume that virtual machines can't extract unauthorized data from other virtual machines on the server.  In the same way, they assume that virtual memory will stop one application from accessing the memory belonging to another application.  Spectre and Meltdown, together with problems with the Atom Tables for Microsoft Windows, are indications that these assumptions are no longer safe.  We need to either isolate applictions on systems completely with one application per computer system, or provide better protection between processing in a multi-processing environment.

A number of compilers can reduce the level of optimization by changing options.  Perhaps what we need are means to turn off optimization techniques such as look ahead pre-calculation on a per process basis to increase security.  As long as the reduced optimization is limited to processes that run less that five percent of the total cycles, the impact on performance may be minimal.
JTKeating
50%
50%
JTKeating,
User Rank: Author
5/1/2018 | 11:56:44 AM
Re: "Matter of whether companies update their employees' devices"
I completely agree, Ryan.  As I mentioned in the post, the lack of a patch management system for mobile forces us to tackle the problem a different way. As you mentioned, using policies (including deciding what users can and cannot access based on the OS level / risk of their device) is one way to drive users to the desired behavior. We have seen the difference. Some of our customers that don't enforce based on OS level have some users on version that are so old it is scary. For example, I have seen users on iOS 5... iOS is currently on 11.x! Thanks for the thoughts!
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
4/30/2018 | 10:59:53 PM
For those that offer mobile options
For those that offer mobile devices to their users, ensure that corporate policy dictates strict oversight of the device. This couple with an Enterprise Device Management system can be a saving grace in ubiquitous exposures such as this.
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
4/30/2018 | 10:57:29 PM
"Matter of whether companies update their employees' devices"
This point sticks out in my mind. The patches are available and the manufacturers can only make the suggestion but its the responsibility of the company to enforce compliance. Otherwise end users will non-functionality based updates like the plague.
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15864
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...