Intel may have dominated most of the news surrounding the kernel bug in processors, but it’s not just Windows and Macs that are at risk. In addition to Meltdown, there is also a “branch target injection” bug called Spectre that affects mobile ARM processors found in iOS and Android phones, tablets, and other devices that could also expose your data. Here’s everything we know about it so far.
This post has been updated with information from Google about protection against possible Spectre attacks that shouldn’t impact performance.
Wait, now my phone is at risk too?
Kind of. Google’s Project Zero team uncovered the Spectre bug as part of its larger investigation into CPU security and has already taken steps to mitigate the risk. However, even if you have a phone that’s vulnerable, Google notes that “exploitation has been shown to be difficult and limited on the majority of Android devices.”
Apple has been mum on Spectre and how it affects iOS devices, but presumably the risk will be equally small.
Are any phones at more risk?
The newest Android phones are in much better shape than older ones. Google’s latest security patch, which was released in December, “includes mitigations reducing access to high precision timers that limit attacks on all known variants on ARM processors.” That means all Pixel phones have been patched (assuming automatic updates are turned on), as well as Nexus 5X and 6P, as well as the Pixel C tablet.
How can it be fixed in non-Google phones?
Just like Meltdown, Spectre can only be patched via software. Some newer Android phones (such as the Samsung Galaxy S8 and Note 8) have already been updated, and other manufacturers should start pushing out their own updates within the next few weeks, as well as Apple’s iOS devices. However, many Android phones will likely remain vulnerable.
What if my phone doesn’t get updates anymore?
A hacker could potentially trick an otherwise safe app on your phone into handing over your personal info such as passwords and encryption keys. However, an attacker would need access to your unlocked phone as Spectre is unlikely to be implemented or triggered remotely.
Is my iPhone affected by the Spectre CPU flaw?
Apple has been mum on this whole issue, but even though it makes its own processors for iOS devices, some are still likely affected. Apple bases its A-series chips on ARM architecture, including some susceptible processors. According to ARM, the following chips and phones may be affected:
- Cortex-A8: iPhone 4
- Cortex-A9: iPhone 4s
- Cortex-A15: iPhone 5, 5C
Again, Apple hasn’t issued any kind of statement about the vulnerability or its impact on iPhones, so it’s possible that Apple either patched the bug in a prior version of iOS or avoided it entirely when designing the chip.
Will my phone slow down when the updates are issued?
The patch doesn’t appear to have a noticeable effect on performance, but it’s a much harder to measure than on a phone than it is on a PC. Google says it has developed a new mitigation called Retpoline that protects against possible attacks with “negligible impact on performance.” It has deployed the patch on its own systems and shared it with industry partners.
Are the iPad and AppleTV affected?
The full extent of affected devices won’t be clear until Apple releases some sort of press release, but some of the ARM chips above are used in other Apple devices as well:
- Cortex-A8: 1st-gen iPad, 2nd-gen Apple TV
- Cortex-A9: iPad 2, 3rd-gen iPad, 1st-gen iPad mini, 3rd-gen Apple TV
What about my Google Home and WiFi?
Google says these devices are unaffected by the Spectre bug.