What are Spectre and Meltdown vulnerabilities and how to stay safe from them

Spectre and Meltdown

Over the past few days, you might have heard something about Spectre and Meltdown vulnerabilities that are affecting device chipsets, including Qualcomm Snapdragons that dominate the Android space.

What are Spectre and Meltdown?

These two are modern day bugs that affect all processors by allowing installed applications to breach the secure wall between them and the core of Android OS, thus giving the perpetrators access to the system files, where they can steal personal data and sneak out unnoticed. In the worst case, they could easily take over your phone, but the good side of the story is that there are ways to fix or rather mitigate these vulnerabilities.

Spectre and Meltdown have been discovered to affect chipsets from Intel, AMD and ARM. While the former is reportedly a universal attack, the latter targets all chipsets made after 1995 (apart from pre-2013 Atom line and the entire Itanium line). Notably, Qualcomm is nowhere on the list, but if you know your phone well, you should also know that smartphone chipsets have ARM cores. Apparently, the ARM Cortex-A75 core, which is found in some flagship Snapdragon chipsets used on Android handsets, is the most high-profile victim.

A brief explanation:

In case you didn’t know, there’s a “barrier” between the core of Android OS and the installed apps. User apps are not meant to access the system core, but with the Meltdown vulnerability, this barrier is broken, allowing apps to access information that is meant to be protected. This information is found in the kernel, which is a region in your phone’s core that no user-initiated operation is allowed. In case malicious programs access this no-go zone, they can steal sensitive information like passwords, usernames and any other saved data. As you can see, the Meltdown attack literally fries the barrier that is usually enforced by the processor, hence the name.

As for Spectre, it’s a little more subtle, where it’s described as a universal attack that “breaks down the isolation between apps”, giving attackers the gateway to trick genuine apps into leaking secrets. Since all modern processors tend to keep hold of volumes of instructions in anticipation of commands, they are potentially vulnerable. The instructions they keep are from different apps and they have protective walls around them that prevent any form of unwanted inter-app interactions. However, the Spectre attack burns these walls, thus allowing apps to exchange information. In this way, malicious programs can find their way into the system core and extract sensitive information from genuine apps.

How to stay safe from Spectre and Meltdown attacks

Spectre and Meltdown

Before you even think about the safety of your Android phone, note that none of these vulnerabilities has been actively exploited yet. But one way of staying safe from the two attacks is to install antivirus software. Since the attacks work locally, they must first be installed on your phone before going live. The most basic way of ensuring that they don’t reach your phone is to use antivirus software. As a security measure, also make sure you disable installation of apps from “Unknown sources” in the Security settings.

Other than these two, security patches are the only other route to safety. As at the time of this writing, Google has already patched the Spectre and Meltdown vulnerabilities via the January 2018 Android security update. This is because it’s the search giant that discovered the vulnerabilities and alerted the affected parties, hence the swift action.

While owners of flagship non-Google phones have little to worry about (apart from time), it gets significantly scary for many users of midrange and budget phones that rarely or never receive any software updates. It’s unlikely that the potential threats posed by Spectre and Meltdown will force Android OEMs into action. The patches will also be rolled out with Google Chrome 64 on January 23rd while Firefox 57 is already implementing fixes from the server side. What this means is that you should also ensure all other installed apps are the most recent.

Posted by
Hillary

Each one Reach one Teach one. Football Droid. Email: hillary@theandroidsoul.com