iPhone and iPad are susceptible to widespread CPU flaw, too [Update]

By

Apple A5 chip
Apple's A series chips could also be vulnerable to a nasty flaw.
Photo: Apple

A nasty CPU flaw that leaves computer users’ most sensitive data at risk is also present in iPhone and iPad processors, Apple confirmed Thursday.

The “Spectre” bug has been discovered in the mobile ARM processors that power iOS devices, as well as Apple TV — but there’s probably no need to panic.

It turns out that Intel isn’t the only chip manufacturer guilty of leaving its users open to attack. Google’s Project Zero team has discovered that processors designed by AMD and ARM are also susceptible to a bug that leaves parts of a system’s kernel memory exposed.

Apple confirmed the problem in a support document published Thursday that addresses the recently discovered Spectre and Meltdown security flaws:

These issues apply to all modern processors and affect nearly all computing devices and operating systems. All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time. Since exploiting many of these issues requires a malicious app to be loaded on your Mac or iOS device, we recommend downloading software only from trusted sources such as the App Store. Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.

What happened?

I’ll try to explain this briefly and in simple terms.

For many years, chip manufacturers have been using a technique called “speculative execution” to optimize system performance. This technique predicts what you might do before you actually do it in an effort to speed up common processes.

It turns out that the implementations of speculative execution used by many CPU makers contains a serious vulnerability that leaves parts of a system’s memory exposed. This memory may contain our most sensitive data, including passwords, encryption keys, and more.

The vulnerability in desktop processor has been dubbed “Meltdown.” In mobile processors designed by ARM, it is dubbed “Spectre.”

What does this mean?

It means that apps could obtain unauthorized access to sensitive information that was designed to be inaccessible. Our software shouldn’t be able to freely access things like passwords and encryption keys, but thanks to this vulnerability, that’s now possible.

iPhone and iPad aren’t immune

Even though Apple designs its own mobile chips, they are based on ARM architecture. The Cortex-A8, Cortex-A9, and Cortex-A15 chips — which are found in iPhone 4, iPhone 4s, and iPhone 5 and 5c, respectively — are affected by the flaw, according to ARM itself.

The Cortex-A8 is also found in the first-generation iPad and the second-generation Apple TV. The Cortex-A9 is also found in the second- and third-generation of iPad, the first-generation iPad mini, and the third-generation Apple TV.

Why you shouldn’t worry

If you’re still using one of these devices, you shouldn’t panic.

The risk to mobile devices is incredibly slim — especially if you don’t jailbreak your device or download apps from outside the App Store. Apple says no known exploits affecting iOS users, and the company is working on updates to patch all its platforms.

The company issued a statement on Wednesday to confirm it already fixed the problem on macOS with the 10.13.2 update that rolled out in December.

How is the vulnerability fixed?

Chip manufacturers can eliminate this flaw in future processor designs, but the only way it can be fixed in existing products is with an operating system update.

Unfortunately, it is believed that the update will lead to performance hits of up to 30 percent in desktop chips. It’s not yet clear what kind of impact it might have on mobile processors. But again, we probably don’t need to worry about it in Apple devices.

Update: This post was updated at 5:30 p.m. Pacific on Thursday, Jan. 4, 2018, to include information from Apple’s support document.