An ARM security update for the Cortex A8, Cortex A9, and Cortex A15 processors issued late on Wednesday suggests that older Apple iOS-based devices may be impacted by the CPU bug — but they would have to be jailbroken, and running malware locally for the exploit to work.
ARM published developer documentation on Wednesday night talking about the trio of exploits, and they impacts ARM devices. CPUs by the company listed as affected include the Cortex A8, Cortex A9, and Cortex A15 processors — the cores of which are found in Apple's A4, A5, A5X, and A6 chips.
On Thursday, 9to5Mac first collated a list of devices impacted by the flaw based on the ARM document, they include the iPhone 4, iPhone 4S, iPhone 5, and iPhone 5C. Apple's iPads possible affected include the original iPad, iPad 2, third generation iPad, and first generation iPad mini. The second and third generation Apple TV also utilize the possibly affected processor, as do the fourth and fifth generation iPod Touch.
It is possible that Apple's implementation of the Cortex processor silicon isn't impacted by the bug, given how Apple requires kernel memory to be handled, or what Apple may have done to the processors for use in an iOS device. Apple has issued no statement on the attack as of yet, but is clearly aware of it, as it already patched most if not all of the avenues of attack in macOS for modern hardware in December.
Apple is not currently shipping any of the afflicted devices. None of the possibly afflicted devices are still supported by Apple, either for repairs at a Genius Bar, or in software.
Devices like the original iPad are stuck on iOS 5, with the more recent devices left behind on iOS 9. The curated and managed aspect of the Apple iOS App Store has probably precluded any attack on older iPhones and iPads, given the review process and the apparent lack of any attack in the wild utilizing the exploit. The Apple TV units that use the afflicted processors had no app store, so only jailbroken units would have any chance of being impacted.
Linux and Android devices using the afflicted processors may or may not get an update. ARM refers users of those devices to install mitigations, or to check with Google regarding patches.
7 Comments
My impressions re that:
1. the Spectre threat is theoretically a threat for any processor that uses out of order execution, which certainly includes Apple’s most recent chips.
2. the threat can be addressed by changing how the OS handles memory, but the fix can negatively affect performance
Hopefully Apple’s control over hardware and software will enable (or already has enabled) them to come up with a way to deal with this threat that doesn’t degrade performance.
Edit: I got #2 wrong. Meltdown can be addressed through the OS change, Spectre has no known fix.
Man, 2018 is only a few days old and it already sucks.
I'd imagine that antique desktop OS versions of Windows (XP, 8, Vista, and earlier.), Windows CE, and macOS (Leopard and earlier) are not going to be updated either. Believe it or not some of these operating systems are still in active use in semi-embedded applications like distributed process control (DCS) display terminals, human machine interfaces, industrial gateways, and even ATM machines. It's not unusual for some of these systems to be designed for 20-25 year lifetimes with very stringent control over updates. Some allow zero updates. The big caveat is that many of these systems are never directly connected to the internet.
In fact, when evaluating the security vulnerability of a system you must look at security protection as being layered and the most effective layer is often physical security. If the attacker cannot get on to the vulnerable system, physically, virtually, or through a communication link (in-band or out-of-band) then the vulnerability is mitigated to zero.
Though nobody likes to talk about it, there is also mitigation through lack of intent and numbers. Everyone in the pool of vulnerability always assumes that the attacker specifically intends to go after their personal system at near 100% probability. If there is a risk/reward profile to conduct the attack what's the chance that an attacker would target your Facebook password versus the login account information for a bank manager? But even with an intentional attacker the sheer number of potential targets reduces the probability of your system being targeted to a very small number. What's the chances of you being the penguin that gets chomped by the leopard seal when you are in a flock of a hundred million penguins?
iPad 1s can still be used to watch youtube.