What lessons has Spectre taught us?

Meltdown and Spectre

There was a brief period when it seemed that mobile phone users were exempt from the problems that computer users were experiencing. After all, it had been a long time since any phone vendor had used Intel chips in any product, so there was nothing for the Apple fanboys or the Android customers to worry about.

That all changed when it was revealed that there were two processor flaws and the second one, Spectre, most decidedly did affect ARM chips – which meant pretty much every phone and tablet out there.

What followed then was almost a masterclass in how rumor was disseminated and how misinformation can spread. First of all, it should be remembered that this vulnerability was identified and reported seven months ago and was not supposed to have been revealed until next week (coincidentally in a week when the tech world had decamped to Las Vegas for CES and those pesky tech journalists would be otherwise occupied).

But then there was also the uncertainty of what Spectre meant to users and the contrasting messages, on one hand being told it was that it was worse than Meltdown as it wouldn’t have been so easy to apply fixes to it; and, on the other, how it wasn’t quite so bad as it wasn’t something that could be exploited by a script kiddie working on his own, but would need state-sponsored teams on the case.

And according to Zimperium security advisor, Adam Donenfeld, the dangers to individual users are limited.  “Spectre is essentially an information disclosure vulnerability. While it is possible to steal information using that vulnerability, stealing a specific targeted piece of information is not as easy as it might appear,” he said.  

He pointed out that there was already protection available. “As of now, the average user can either wait or install a 3rd party security solution. Obviously, it’s a new class of vulnerabilities we’ve yet to see, so there might be more to it. But, an upcoming patch will fix the known issues related to that class of bugs.”

That’s not to say that the vulnerabilities aren’t worrying for users. Many Apple users, whether of phones or computers have long been of the belief that their devices are secure against any form of attack, so the news that their phones were vulnerable to attack too – even though Apple put out a statement saying that the company would be reacting to the Spectre vulnerability.  According to the company statement, “Apple will release an update for Safari on macOS and iOS in the coming days to mitigate these exploit techniques. We continue to develop and test further mitigations within the operating system for the Spectre techniques, and will release them in upcoming updates of iOS, macOS, and tvOS. watchOS is unaffected by Spectre.”

It wasn’t just Apple, of course, one of the issues that users had concerns about is what was happening to chips that ARM was making for other vendors, such as Qualcomm. The company also put out a statement to assuage customer anxieties. “Providing technologies that support robust security and privacy is a priority for Qualcomm, and as such, we have been working with ARM and others to assess impact and develop mitigations for our customers. We are in the process of deploying these mitigations to our customers and encourage people to update their devices when patches become available.”

Hype

With statements like this, it’s clear that the vendors have been trying to meet users’ worries. According to Donenfeld, the manufacturers have worries beyond the technical issues. “I think mobile vendors are not as concerned about the impact, but rather about the hype behind it: information disclosure vulnerabilities are not new. At the end of the day it’s just a simple patch that fixes those bugs, just like other vulnerabilities. One of the issues here however, is that the vulnerability (and some PoCs) were released before a patch was installed. But those vulnerabilities required more vulnerabilities to chain with, to achieve a full compromise of the device.”

The episode has done one thing, however, it has concentrated mobile users’ minds on how vulnerabilities their devices are. While users (on the whole) are diligent about updating PCs and installing antivirus software, there haven’t been the same efforts expended on mobiles: could the Spectre flaw change this. Donenfield is non-committal: “I hope so. But Spectre is no different and doesn’t shed light on how users view their phones: a security solution for mobile devices was needed before, and is needed after this patch as well.”

That’s not to say that, a week after Spectre was first reported, that the industry couldn’t improve matters. The fact that news of vulnerability was leaked and disclosure wasn’t handled properly is still contentious. Donenfeld believes it could have been handled better “I think there wasn’t a responsible disclosure. The fact that the vulnerability details, as well as PoCs, were released before some flagship devices were patched, implies miscommunication between the disclosing party and the vendors.”

And it’s probable that these points will have been noted and lessons are certain have been learned –  the proof will be when it happens next – we’ll be better prepared: won’t we?