Older, jailbroken iPhones or Apple TVs possibly susceptible to CPU kernel vulnerability

Posted:
in iPhone
An ARM security update for the Cortex A8, Cortex A9, and Cortex A15 processors issued late on Wednesday suggests that older Apple iOS-based devices may be impacted by the CPU bug -- but they would have to be jailbroken, and running malware locally for the exploit to work.




ARM published developer documentation on Wednesday night talking about the trio of exploits, and they impacts ARM devices. CPUs by the company listed as affected include the Cortex A8, Cortex A9, and Cortex A15 processors -- the cores of which are found in Apple's A4, A5, A5X, and A6 chips.

On Thursday, 9to5Mac first collated a list of devices impacted by the flaw based on the ARM document, they include the iPhone 4, iPhone 4S, iPhone 5, and iPhone 5C. Apple's iPads possible affected include the original iPad, iPad 2, third generation iPad, and first generation iPad mini. The second and third generation Apple TV also utilize the possibly affected processor, as do the fourth and fifth generation iPod Touch.

It is possible that Apple's implementation of the Cortex processor silicon isn't impacted by the bug, given how Apple requires kernel memory to be handled, or what Apple may have done to the processors for use in an iOS device. Apple has issued no statement on the attack as of yet, but is clearly aware of it, as it already patched most if not all of the avenues of attack in macOS for modern hardware in December.

Apple is not currently shipping any of the afflicted devices. None of the possibly afflicted devices are still supported by Apple, either for repairs at a Genius Bar, or in software.

Devices like the original iPad are stuck on iOS 5, with the more recent devices left behind on iOS 9. The curated and managed aspect of the Apple iOS App Store has probably precluded any attack on older iPhones and iPads, given the review process and the apparent lack of any attack in the wild utilizing the exploit. The Apple TV units that use the afflicted processors had no app store, so only jailbroken units would have any chance of being impacted.

Linux and Android devices using the afflicted processors may or may not get an update. ARM refers users of those devices to install mitigations, or to check with Google regarding patches.

Comments

  • Reply 1 of 7
    blastdoorblastdoor Posts: 1,954member
    My impressions re that:

    1. the Spectre threat is theoretically a threat for any processor that uses out of order execution, which certainly includes Apple’s most recent chips. 
    2. the threat can be addressed by changing how the OS handles memory, but the fix can negatively affect performance

    Hopefully Apple’s control over hardware and software will enable (or already has enabled) them to come up with a way to deal with this threat that doesn’t degrade performance. 

    Edit: I got #2 wrong. Meltdown can be addressed through the OS change, Spectre has no known fix. 
    Man, 2018 is only a few days old and it already sucks. 

    edited January 2018 Soli
  • Reply 2 of 7
    dewmedewme Posts: 2,162member
    I'd imagine that antique desktop OS versions of Windows (XP, 8, Vista, and earlier.), Windows CE, and macOS (Leopard and earlier) are not going to be updated either. Believe it or not some of these operating systems are still in active use in semi-embedded applications like distributed process control (DCS) display terminals, human machine interfaces, industrial gateways, and even ATM machines. It's not unusual for some of these systems to be designed for 20-25 year lifetimes with very stringent control over updates. Some allow zero updates. The big caveat is that many of these systems are never directly connected to the internet.

    In fact, when evaluating the security vulnerability of a system you must look at security protection as being layered and the most effective layer is often physical security. If the attacker cannot get on to the vulnerable system, physically, virtually, or through a communication link (in-band or out-of-band) then the vulnerability is mitigated to zero.

    Though nobody likes to talk about it, there is also mitigation through lack of intent and numbers. Everyone in the pool of vulnerability always assumes that the attacker specifically intends to go after their personal system at near 100% probability. If there is a risk/reward profile to conduct the attack what's the chance that an attacker would target your Facebook password versus the login account information for a bank manager? But even with an intentional attacker the sheer number of potential targets reduces the probability of your system being targeted to a very small number. What's the chances of you being the penguin that gets chomped by the leopard seal when you are in a flock of a hundred million penguins? 
  • Reply 3 of 7
    racerhomie3racerhomie3 Posts: 1,160member
    iPad 1s can still be used to watch youtube.
    philboogie
  • Reply 4 of 7
    williamhwilliamh Posts: 671member
    dewme said:
    ] But even with an intentional attacker the sheer number of potential targets reduces the probability of your system being targeted to a very small number. What's the chances of you being the penguin that gets chomped by the leopard seal when you are in a flock of a hundred million penguins? 
    I'm guessing there's more than one leopard seal per hundred million penguins.  Add to that millions of leopard seal bots and leopard seal botnets with hundreds of thousands of members, and the pure numbers look less favorable.  It's not worthwhile to freak out though, as the exploit requires malware to be running on your system in the first place, so using an unjailbroken iPhone or being prudently paranoid while using your other devices will put the odds more in your favor.
    randominternetpersonwatto_cobra
  • Reply 5 of 7
    LatkoLatko Posts: 398member
    If there is a risk/reward profile to conduct the attack what's the chance that an attacker would target your Facebook password versus the login account information for a bank manager? But even with an intentional attacker the sheer number of potential targets reduces the probability of your system being targeted to a very small number. What's the chances of you being the penguin that gets chomped by the leopard seal when you are in a flock of a hundred million penguins? 
    Go and live in a big city (NY, Mexico, Tokyo) where the risk of getting robbed or struck by an airplane is far smaller...
    edited January 2018
  • Reply 6 of 7
    iPad 1s can still be used to watch youtube.
    Not really.  A $50 tablet would do a better job.  It has a bad screen but still better than an iPad 1.


  • Reply 7 of 7
    asdasdasdasd Posts: 5,324member
    I worry that class action suits will initially be driven against Apple and other computer manufacturers.
Sign In or Register to comment.