Mobile

4/30/2018
10:30 AM
JT Keating
JT Keating
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What Meltdown and Spectre Mean for Mobile Device Security

Here are four tips to keep your mobile users safe from similar attacks.

There's no question we're still on high alert from Meltdown and Spectre. The fear and uncertainty has been unsettling for everyone, and it will take a while for things to calm down as patches are released —  and recalled —  for desktop operating systems. The month of March brought with it expanded patching efforts by Microsoft for the two flaws.

Mobile OS Differences
There's less talk of the situation on the mobile side. From a perception standpoint, things may seem more settled. But significant underlying risks remain, and mobile as a threat vector should definitely not be overlooked. Understanding Meltdown and Spectre developments specific to mobile is an important step toward proper defense.  

For starters, mobile operating systems don't have the ability to make the "push-pull" types of patching moves we've seen for Meltdown and Spectre on traditional endpoints. Advice like "Push the patch out. No, roll it back because we found there might be some issues with performance" on the traditional endpoint side — that doesn't translate to mobile.

Meltdown/Spectre Patching Progress for Mobile
When it comes to iOS, Apple has released patches specifically for Meltdown and mitigations against Spectre. Sending out updates to Safari seems to be Apple's solution for how to handle Spectre. Google has followed suit with the same course of action to address both flaws.

There are specific challenges associated with how changes make their way through the Android ecosystem, however. Our company's global threat data consistently shows that well over two-thirds and — depending on timing — up to 80% of Android devices are running out-of-date operating systems. Meanwhile, our data shows about 25% to one-third of devices running iOS are using out-of-date versions.

Now that patches are out for Meltdown and Spectre, it's a matter of whether companies update their employees' devices and whether, on the Android side of things, the updates percolate all the way through the Android ecosystem.

For Better or Worse, Mobile Users Are in Control
One of the biggest differences between traditional and mobile endpoints is that there is no such thing as a patch management system when it comes to mobile. If you talk to enterprise IT security people, chances are they will tell you the single greatest security risk to a company is a carbon-based life form — aka, a human being. For traditional endpoints, you've got a patch management system and then centrally managed antivirus, centrally managed network firewalls, etc. All of these investments take IT control out of the hands of end users and give it to security pros, who are trained to defend against this weak (human) link in the security chain.     

Mobile flips the model on its head. With mobile devices, you take the same users who make bad-enough mistakes as it is with all of the abovementioned network security precautions —  and you give them full control over a small supercomputer (that is, their mobile device). You say, "You're the admin for it; you're responsible for deciding what networks you're going to go in and out of, what apps you're going to download, and, as your employer, I'm totally beholden to you to update your devices."

Stay Protected
When it comes to getting protected, IT pros and companies should keep the following four tips in mind:

  • For any device entering corporate networks, implement the ability to determine the OS version.
  • Create a communication plan to encourage users to upgrade whenever new patches are available. Send this information out via email and text, and also in-line to out-of-date devices as they enter your network.
  • Consider limiting or prohibiting access to certain key resources from out-of-date devices to encourage patching.
  • Implement solutions that can detect exploit attempts, rogue Wi-Fi networks, and malicious apps.

Related Content:

JT Keating, Vice President of Product Strategy at Zimperium, has brought software and mobile communications solutions to market for 25 years. Being passionate about security, he helped define and create multiple innovative approaches, including application whitelisting at ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BradleyRoss
50%
50%
BradleyRoss,
User Rank: Strategist
5/4/2018 | 7:16:16 PM
New techniques are required
A number of people assume that virtual machines can't extract unauthorized data from other virtual machines on the server.  In the same way, they assume that virtual memory will stop one application from accessing the memory belonging to another application.  Spectre and Meltdown, together with problems with the Atom Tables for Microsoft Windows, are indications that these assumptions are no longer safe.  We need to either isolate applictions on systems completely with one application per computer system, or provide better protection between processing in a multi-processing environment.

A number of compilers can reduce the level of optimization by changing options.  Perhaps what we need are means to turn off optimization techniques such as look ahead pre-calculation on a per process basis to increase security.  As long as the reduced optimization is limited to processes that run less that five percent of the total cycles, the impact on performance may be minimal.
JTKeating
50%
50%
JTKeating,
User Rank: Author
5/1/2018 | 11:56:44 AM
Re: "Matter of whether companies update their employees' devices"
I completely agree, Ryan.  As I mentioned in the post, the lack of a patch management system for mobile forces us to tackle the problem a different way. As you mentioned, using policies (including deciding what users can and cannot access based on the OS level / risk of their device) is one way to drive users to the desired behavior. We have seen the difference. Some of our customers that don't enforce based on OS level have some users on version that are so old it is scary. For example, I have seen users on iOS 5... iOS is currently on 11.x! Thanks for the thoughts!
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
4/30/2018 | 10:59:53 PM
For those that offer mobile options
For those that offer mobile devices to their users, ensure that corporate policy dictates strict oversight of the device. This couple with an Enterprise Device Management system can be a saving grace in ubiquitous exposures such as this.
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
4/30/2018 | 10:57:29 PM
"Matter of whether companies update their employees' devices"
This point sticks out in my mind. The patches are available and the manufacturers can only make the suggestion but its the responsibility of the company to enforce compliance. Otherwise end users will non-functionality based updates like the plague.
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19790
PUBLISHED: 2018-12-18
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...
CVE-2018-19829
PUBLISHED: 2018-12-18
Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known.
CVE-2018-16884
PUBLISHED: 2018-12-18
A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system ...
CVE-2018-17777
PUBLISHED: 2018-12-18
An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have acc...
CVE-2018-18921
PUBLISHED: 2018-12-18
PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete action.