Intel may have dominated most of the news surrounding the kernel bug in processors, but it’s not just Windows and Macs that are at risk. In addition to Meltdown, there is also a “branch target injection” bug called Spectre that affects mobile ARM processors found in iOS and Android phones, tablets, and other devices that could also expose your data. Here’s everything we know about it so far.
This post has been updated with links to the Safari updates on iOS 11.2 and macOS.
Wait, now my phone is at risk too?
Kind of. Google’s Project Zero team uncovered the Spectre bug as part of its larger investigation into CPU security and has already taken steps to mitigate the risk. However, even if you have a phone that’s vulnerable, Google notes that “exploitation has been shown to be difficult and limited on the majority of Android devices.”
Additionally, Apple says all iPhones and iPads are affected by Spectre as well, though "they are extremely difficult to exploit." The company also says the Meltdown bug also affects iOS devices, though mitigations were released last month as part of iOS 11.2.
Are some phones at higher risk than others?
The overall risk is the same, but newer Android phones are in much better shape than older ones. Google’s latest security patch, which was released in December, “includes mitigations reducing access to high precision timers that limit attacks on all known variants on ARM processors.” That means all Pixel phones have been patched (assuming automatic updates are turned on), as well as Nexus 5X and 6P, as well as the Pixel C tablet.
Apple says Meltdown mitigations have been released for all iPhones running iOS 11.2, and Spectre mitigations are on the way.
How can it be fixed in non-Google phones?
Just like Meltdown, Spectre can only be mitigated via software. Some newer Android phones (such as certain versions of the Samsung Galaxy S8 and Note 8) have already received Google's December security update, and other manufacturers should start pushing out their own updates within the next few weeks, as well as Apple’s iOS devices. However, many Android phones will likely remain vulnerable.
What if my phone doesn’t get updates anymore?
A hacker could potentially trick an otherwise safe app on your phone into handing over your personal info such as passwords and encryption keys. However, an attacker would need access to your unlocked phone as Spectre is unlikely to be implemented or triggered remotely.
Is my iPhone affected by the Spectre CPU flaw?
Short answer, yes. Apple says that all iOS devices are affected by the Spectre bug, but it has yet to push out any OS-level protections against Spectre. They're on the way, though. On January 8, Apple pushed out updates to iOS 11 and macOS with "security improvements to Safari and WebKit to mitigate the effects of Spectre."
Is my iPhone affected by the Meltdown CPU flaw?
Apple says the Meltdown bug also affects iOS devices. iPhones running iOS 11.2 have received mitigations to protect against possible attacks, so make sure to update your device.
Will my phone slow down when the updates are issued?
The patch doesn’t appear to have a noticeable effect on performance, but it’s a much harder to measure than on a phone than it is on a PC. Google says it has developed a new mitigation called Retpoline that protects against possible attacks with “negligible impact on performance.” It has deployed the patch on its own systems and shared it with industry partners. Additionally, Apple says the updates it has issued to iOS and Safari "resulted in no measurable reduction in performance."
Are the iPad and Apple TV affected?
Yes and yes. iOS 11.2 mitigates the risk of Meltdown on iPads and tvOS 11.2 does the same for Apple TV. Spectre mitigations are in the works.
What about Apple Watch?
Apple says Apple Watch is unaffected by Meltdown. Mitigations are on the way to protect against Spectre.
What about my Google Home and WiFi?
Google says these devices are unaffected by the Spectre bug.