Mobile Devices Are Getting Overlooked In Spectre And Meltdown Response, Solution Providers Say
While a massive patching effort is underway to protect servers and PCs against the Spectre and Meltdown processor vulnerabilities, mobile devices containing business data pose a significant risk that few enterprises are focusing on, according to enterprise mobility specialists.
"Most organisations simply have not considered the mobile aspect," said Jason Holloway, managing director at Bridgeway Security Solutions, a solution provider based in Cambridge, U.K., that has analysed smartphone and tablet patch data. "A few are waking up to that and starting to conduct internal audits to appreciate the scale of the risk. Very few have begun the process of mandating the updates and pushing those through."
Based on Bridgeway's research, which includes multinational companies along with many organizations in Europe, only about 14 percent of enterprise mobile devices have been patched against Spectre and Meltdown – up from 4 percent a month ago.
"I would postulate that a similar issue is probably occurring across the world," Holloway told CRN. "The mindset of the IT department perhaps hasn't quite caught on readily to the risk when it comes to these devices. Traditional laptops, desktops and servers have so far been prioritized in terms of applying the patches, and being able to measure the exact impact and risk that these attacks provide."
At mobile device management vendor MobileIron, Chief Marketing and Strategy Officer Ojas Rege said he agreed with the assessment.
"These kinds of processor vulnerabilities, they don't care about form factors," Rege told CRN. "Most phones should be patched, but I bet they're not."
In a CRN poll, meanwhile, just 42 percent of respondents said that customers have completed all Spectre and Meltdown updates available to date. CRN conducted the online poll of 190 members of the CRN Channel Intelligence Council, a panel of solution providers representing the broad channel ecosystem in North America.
In terms of mobile devices, part of the issue is that many IT departments don't have a handle on what devices contain corporate data and what operating systems are being run on them, he said.
"Where enterprises are at a big risk is if they don't have visibility into what devices their employees are using," Rege said. "There are more than half a billion smartphones with business data on them, and less than 20 percent of those today have a solution like MobileIron.
"Over 80 or 90 percent of the devices out there with business data are just kind of floating around, and IT has no visibility into the operating system and the patches," Rege said. "There's no ability to secure against these kind of vulnerabilities. That's a big risk."
Holloway said another issue is that many mobile devices used for mission-critical functions have mostly outlived their life expectancy and can't even be updated with security patches against Spectre and Meltdown. He estimated that 25 percent of enterprise mobile devices might be "unpatchable" against the processor vulnerabilities.
"We're seeing a growing realization that many of the devices that are currently being used or mission-critical apps and service delivery are fundamentally unable to be patched, and have to be physically replaced in order to mitigate this risk," Holloway said.
In the case of one Bridgeway customer, a hospital that uses iOS devices to collect crucial patient data, upgrading to the latest operating system is not supported because of the age of the devices, he said. "The only options are either to accept that risk, or to invest in new devices," Holloway said.
Patching Android devices poses a particular complication because "patches might come from different sources," and because devices running operating system versions prior to Android 6.0 are not eligible for monthly security updates, Rege said.
"If you have older Android devices you're going to have more risk attached to those devices," he said.
Solutions such as MobileIron enable IT professionals to see what operating system versions and patches exist on mobile devices in the enterprise, Rege said.
The situation also creates opportunities for solution providers to provide value to customers.
"These kinds of vulnerabilities provide guys like us the ability to assist our clients in becoming the trusted advisor to their mobile enterprise," said Paul Troisi, chief customer officer at Peabody, Mass.-based Troy Mobility. "I think the challenge that many enterprises face is the balance between usability of applications that may not be ready for the newest OS version, in lieu of assuring their devices are running the recent patch or version to assure any vulnerabilities are negated."
The Spectre and Meltdown processor exploits were revealed at the beginning of January. The vulnerabilities affect chips from multiple vendors, including Intel, AMD and ARM.
The flaws account for three variants of a side-channel analysis security issue in server and PC processors, and could potentially enable hackers to access protected data.
While Intel continues to work on software mitigations for the vulnerabilities, the company has acknowledged that it will take a hardware fix to fully solve the issue for its processors, which is expected to be available toward the end of 2018.
In the CRN poll, solution providers ranked the vendor responses to the Spectre and Meltdown vulnerability issue on a scale of one to five, with five being the top mark, or "excellent." Sixty-two percent of respondents that use Google gave the vendor a rating of four or five, while 54 percent of Apple-using respondents gave the same ratings to Apple.