PEPPERL+FUCHS Security advisory for MELTDOWN and SPECTRE attacks in ecom mobile Devices (Update A)

VDE-2018-009 (2018-07-06 14:47 UTC+0100)

Affected Vendors

PEPPERL+FUCHS

Affected Products

i.roc Ci70-Ex, Cx70-Ex, CT50-Ex, Pad-Ex 01, Tab-Ex 01, Smart-Ex 01, Smart-Ex 201, Ex-Handy 09, Ex-Handy 209

Summary

Critical vulnerabilities within several CPUs have been identified by security researchers. These hardware vulnerabilities allow programs to learn about the contents of a system's memory, using side-channel attacks. Potential attack vectors against these vulnerabilities have been published and dubbed Meltdown and Spectre. While programs are typically not permitted to read data from the OS kernel or from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in kernel memory or the memory of other programs executed on the same CPU. As a consequence, an exploit could allow attackers to get access to any sensitive data, including passwords or cryptographic keys.

Impact

Pepperl+Fuchs analyzed ecom Instruments devices in respect of Meltdown and Spectre attacks. To our current knowledge only i.roc Ci70-Ex, Cx70-Ex, CT50-Ex, Pad-Ex 01, Tab-Ex 01, Smart-Ex 01, Smart-Ex 201, Ex-Handy 09, Ex-Handy 209 are potentially affected by these vulnerabilities.

In order to exploit these vulnerabilities, an attacker needs to be able to execute arbitrary code on the CPU of the target system.

ecom mobile devices are normally used in the corporate network. This implies that outgoing connections and local software installations have to be configured by administrators. If these steps are taken, this greatly reduces the risk of unwittingly accessing malicious content and executing unknown code, e.g. by accessing a website that was prepared by an attacker.

However, if a malicious website is accessed, an attacker could gain knowledge of all data in the memory of the mobile device, including passwords.

Solution

23.10.2018, Update A: Firmware for Android based devices now available 

Android

Pepperl+Fuchs has released firmware updates for the following products

Product

Date

Updatesource

Smart-Ex 01

Available since 09/2018

FOTA-Update

Smart-Ex 201

Available since 10/2018

FOTA-Update

Microsoft Windows

Customers using ecom mobile devices out of i.roc Ci70-Ex, Cx70-Ex, CT50-Ex, Pad-Ex 01 product families should follow these guidelines:

  • In case preconfigured server connections / websites exist, they should be restricted to secured and trusted servers. The use of secure protocols, e.g. HTTPS, is recommended.
  • End users should be restricted in a way such that they can only use the system as configured by administrators.
  • General access to web pages should be protected through the use of kiosk mode, the use of mobile device management and the use of additional security software.
    It should be ensured that whitelisted websites do not redirect to untrusted servers / websites.
  • For Pad-Ex 01 with Microsoft Windows Operating Systems, Microsoft offers security patches which can be directly downloaded from the Microsoft website.
  • For CT50-Ex
    Fix Available in 68.01.15, 69.01.15, 70.01.15, 71.01.15
    Windows 10 IoT Mobile Patch from Microsoft Available.
  • For i.roc Ci70-Ex and Cx70-Ex
    Mitigate w/ Security Controls – See Additional Resources
    https://www.honeywellaidc.com/en/-/media/en/files-public/security-notices/windows-mobile-6_5-network-security-guide-en.pdf
     

Please note that Microsoft Security patches directly affect machine code execution on the CPU. Be aware of installing these patches, because they might have an impact on system performance or system stability.

This advisory will be updated as further details and/or software updates become available.

Reported by

Jann Horn (Google Project Zero), Werner Haas, Thomas Prescher (Cyberus Technology), Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz University of Technology) published the attack on https://meltdownattack.com/

Jann Horn (Google Project Zero) and Paul Kocher, Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61) published the attack on https://meltdownattack.com/