Qualcomm has confirmed that some of its products are affected by the recently disclosed Spectre and Meltdown vulnerabilities, but the company says mitigations are being deployed.
The chipmaker has provided few details, but claims it has been working with ARM and others to assess the impact of the flaws. Mitigations have been developed and Qualcomm is in the process of incorporating them into impacted products.
“We are in the process of deploying these mitigations to our customers and encourage people to update their devices when patches become available,” the company stated.
Qualcomm’s processors, used in devices from several major vendors, include CPU, GPU, modem, audio, and camera components. Some of the systems rely on ARM CPU cores that have been confirmed to be affected by the Spectre (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754) vulnerabilities.
For example, the Snapdragon 653, 652 and 650 platforms use ARM Cortex-A72 processors, which ARM says are vulnerable to both Spectre exploits and a variant of the Meltdown attack. Moreover, the Snapdragon 845 mobile platform, which Qualcomm unveiled just a few weeks ago, uses a customized version of the Cortex-A75, which is also vulnerable to both Spectre and Meltdown attacks.
Qualcomm is not the only vendor using ARM technology in its products. Apple, whose A-series system-on-a-chip (SoC) also uses ARM processing cores, confirmed that some of its devices are affected.
Raspberry Pis also use ARM cores, but the Raspberry Pi Foundation announced that the models found in its devices – specifically ARM1176, Cortex-A7, and Cortex-A53 – are not impacted by Spectre or Meltdown.
The Meltdown and Spectre attacks allow malicious applications to bypass memory isolation mechanisms and access potentially sensitive data, including passwords, photos, documents, emails, and data from instant messaging apps.
Billions of devices using Intel, AMD and ARM processors are affected and researchers believe attacks are not easy to detect. Experts are concerned that we may soon witness remote attacks.
Attacks can be prevented using kernel page table isolation (KPTI) and a mitigation named Retpoline developed by researchers at Google. Intel, Apple, Microsoft, Google, Amazon and others have already started rolling out patches and workarounds.
However, the mitigations can introduce performance penalties of up to 30 percent for affected processors. While Intel said regular users should not notice any difference and several tech giants claimed they had not seen any meaningful performance impact, some AWS customers have reported problems, and tests conducted by Red Hat showed penalties of up to 19% in the case of operations involving highly cached random memory.