back to article Qualcomm joins Intel, Apple, Arm, AMD in confirming its CPUs suffer hack bugs, too

Qualcomm has confirmed its processors have the same security vulnerabilities disclosed this week in Intel, Arm, AMD and IBM CPU cores. The California tech giant picked the favored Friday US West Coast afternoon "news dump" slot to admit at least some of its billions of Arm-compatible Snapdragon system-on-chips and newly …

  1. andyp-random-number

    The same bug.

    "Qualcomm has confirmed its processors have the same security vulnerabilities disclosed"

    Surely all the manufacturers have either stolen, shared their designs, or all of them sell to each other.? You think they are unique products between each of them but they are all the same, just with extra bits added or some bits removed.

    It's just like when a top supermarket has a contaminated product such as their "special premium yogurt" and it turns out all other supermarkets including Aldi and Lidl budget yogurts are also effected.

    1. DougS Silver badge

      Re: The same bug.

      No, that's a stupid assumption that is 100% wrong. It is because they all do out of order speculative execution. It requires extra effort to avoid the bug, and since no one had ever really thought about this hard enough before there was no reason to put in the extra effort to add bounds checks, consider kernel/user mode in tagging, etc.

    2. Doctor Syntax Silver badge

      Re: The same bug.

      You might find this helpful: https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/

      1. Anonymous Coward
        Anonymous Coward

        Re: The same bug.

        ...which explains why the A53 is not vulnerable!

        1. Anonymous Coward
          Anonymous Coward

          Re: The same bug.

          "which explains why the A53 is not vulnerable"

          I guess Buxton and Shrewsbury would be a bit upset if it was!

          1. Anonymous Coward
            Anonymous Coward

            Re: The same bug.

            Just vulnerable to bikers or more likely the other way round.

      2. andyp-random-number

        Re: The same bug.

        cheers, I did :)

      3. Hans 1 Silver badge
        Boffin

        Re: The same bug.

        You might find this helpful: https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/

        Thanks, Doc!

        Qualcomm declined to comment further on precisely which of the three CVE-listed vulnerabilities its chips were subject to, or give any details on which of its CPU models may be vulnerable. The paper describing the Spectre data-snooping attacks mentions that Qualcomm's CPUs are affected, while the Meltdown paper doesn't conclude either way.

        El'Reg, I think you have to understand, we have three CVE's, two l33t names for these vulns, Spectre and Meltdown.

        The only CPU's affected by Meltdown are All recent Intel CPU's, from 2010 on (at the very least), and a AMD Pro CPU with jit (just in time compiler) enabled (which is disabled by default).

        Spectre is a more generic vuln that affects a bunch of CPU designers/vendors including Intel, AMD, ARM, IBM, and Qualcomm.

        What is the difference between Spectre and Meltdown ?

        Meltdown exploits are globally easier to implement than Spectre.

        Meltdown takes advantage of memory reads in out-of-order instructions, Spectre acts on the branch prediction mechanism.

        Spectre allows for cross/intra process memory disclosure, Meltdown allows disclosure of kernel memory to the user-space processes (normally not accessible).

        Meltdown has a known software mitigation.

        Both rely on a cache side-channel attack, which is a measure of timing differences when accessing certain blocks of memory to deduce the information otherwise unknown.

        More gory details available here, idiot-proof read:

        https://security.stackexchange.com/questions/176803/meltdown-and-spectre-vulnerabilities

        1. Hans 1 Silver badge

          Re: The same bug.

          Crap, ERRATUM :-(

          The only CPU's affected by Meltdown are All recent Intel CPU's, from 2010 on (at the very least), and a AMD Pro CPU with jit (just in time compiler) enabled (which is disabled by default).

          s/b

          The only CPU's affected by Meltdown are All recent Intel CPU's, from 2010 on (at the very least).

          The AMD Pro CPU is vulnerable to Spectre, sorry!

    3. Warm Braw Silver badge

      Re: The same bug.

      What might partly be at play here, though, is that chip design is a very specialist skill - there aren't that many people doing it and they have the choice of a small number of employers. And everyone is constrained by physics in the same way. And for the most part, it's an evolutionary process (tick-tock) not a revolutionary one.

      Looked at in that light, it would actually be surprising if processor designs were radically different.

      1. stephanh Silver badge

        Re: The same bug.

        ...and they are mostly the same people, who have been to the same universities, have been thaught by the same profs, and from the same textbooks. They job-hop among the same set of companies.

        And they mostly don't interact with security experts who are more software people.

      2. steelpillow Silver badge
        Boffin

        Re: The same bug.

        "Looked at in that light, it would actually be surprising if processor designs were radically different."

        Not really. Convergent evolution happens. Insects, pterosaurs, birds, two kinds of bat and even the odd fish all learned to fly separately. Human and octopus eyes evolved wholly separately (though the octopus did a better job). We have RNA and DNA and mixed-genome viruses. Then, there is the marketing desire for product differentiation. It would be astonishing if all CPUs were the same at heart. Yet they can all fly with predictive pre-processing, because that became a necessary survival characteristic.

        1. andyp-random-number

          Re: The same bug.

          "Not really. Convergent evolution happens. Insects, pterosaurs, birds, two kinds of bat and even the odd fish all learned to fly separately. "

          ...You're right, but convergence normally ends up with a good working design. All these chip makers converged on a bug!

          Billions of $ by each company in research and then all come up with the same bug. I don't buy it. I don't have enough knowledge of the subject, and my processor knowledge is rather out of date, but with what the NSA and GCHQ have been up to in recent years I'd like to wait a few years and see what Wikileaks says :) I'm not saying anything is sinister but it seems rather convenient that a decades old bug seems to have been found in most processors.

          1. Brewster's Angle Grinder Silver badge

            Re: The same bug.

            "All these chip makers converged on a bug!"

            The original Project Zero blog provided details of three separate issues---two labelled spectre and one called meltdown---each of which affected manufacturers in different ways.

            Intel is vulnerable to meltdown; AMD isn't. The (unreleased) ARM Cortex-A75 is vulnerable to meltdown in the same ways as Intel, but none of its other chips are. However the Cortex-A15, Cortex-A57 and Cortex-A72 are vulnerable to meltdown but in in a way that is different to Intel and the A75.

            The Spectre bugs are even more varied. There is just no convergence on a single bug. This is a class of bugs that security researchers haven't examined prior to now.

            1. Pompous Git Silver badge

              Re: The same bug.

              " There is just no convergence on a single bug. This is a class of bugs that security researchers haven't examined prior to now."
              Convergence happened, just not on bugs. Those of us of a certain age will remember the CISC vs RISC war. Today's processors use aspects of both design philosophies. It's hard to envisage any selection pressure to converge on an error.

              1. Anonymous Coward
                Anonymous Coward

                Re: The same bug.

                "It's hard to envisage any selection pressure to converge on an error."

                The selection pressure was to achieve best performance - and speculative pre-fetch goes back to at least the late 1960 mainframe designs.

                It was only when the environment selection pressure changed to favour security that this particular advantage became a disadvantage.

                No different than Darwinian evolution over the millennia.

              2. Loud Speaker

                Re: The same bug.

                The CISC vs RISC was about wat is the performance bottleneck: if instruction decode is costly, then RISC is faster, if memory access is the bottleneck, CISC is faster. With pipeline to mitigate instruction decode cost, and cache to mitigate memory access, the decision is less clear.

                Throw in out of order and speculative execution, and it all becomes an even bigger muddle,

                When Seymour Cray did speculative execution it was limited to 7 instructions, and a context switch would lose the lot anyway. Now, Intel are doing more than 200 instructions, the gravy thickens. What was secure for 7 instructions and no cache is not necessarily secure for 200 and two levels of caching. Someone SHOULD have realised the scale of what can happen in 200 instructions - while checking out that the speculation was logically sound. They had from about 1980 to the present to investigate.

                However, all the older CPU designers privy tp discussions about this in the 1980's have now retired - probably in part because "computers are new, and old people won't understand" based age discrimination. (For those who don't know - computers date from 1949 - and some of us still remember the first one - EDSAC 1 and talked to the people who built it).

                Allowing bypass of access validity checks in the name of speed was about as sensible as saying "we won't have a store detective in the checkout area because it would increase checkout queues and cost money". Even Poundland knows that is not the way to a successful business.

                1. Voyna i Mor Silver badge

                  Re: The same bug.

                  "(For those who don't know - computers date from 1949 - and some of us still remember the first one - EDSAC 1 and talked to the people who built it)."

                  For those who do know, the Manchester SSE ran its first program on June 21st 1948, and made Tom Kilburn the world's first programmer.

                  I went to Cambridge, but I'm still happy to give Manchester priority in this case. Attempted caveats such as "But the Manchester machine was experimental!" are, to my mind, the tiniest bit pathetic.

                  1. EnviableOne Bronze badge

                    Re: The same bug.

                    Colossus Mark 1, was shown to be working in December 1943 and was operational at Bletchley Park by January 1944

              3. CrazyOldCatMan Silver badge

                Re: The same bug.

                It's hard to envisage any selection pressure to converge on an error.

                Except that all[1] the designers are using the same assumptions and design philosophy so that, even though the design details differ that overall design is functionally equivalent.

                [1] Where 'all' == those working for the big processor manufacturers. The fact that AMD is less vulnerable than Intel seems to come down to the number of speedup shortcuts taken by Intel.

          2. Voyna i Mor Silver badge

            Re: The same bug.

            "You're right, but convergence normally ends up with a good working design. All these chip makers converged on a bug!"

            Environment changes, and environment determines how surviving species end up.

            We don't get 40cm dragonflies any more because oxygen levels and temperature are way down.

          3. Anonymous Coward
            Anonymous Coward

            NSA and GCHQ

            @andyp-random-number

            Once you read up on how it works (see the excellent link from Doctor Syntax) it looks very unlikely anyone was involved. The advancement of processors is what brought about this problem which is why multiple processors are in trouble. They didn't really have any other way to progress and the problem is in the implementation.

            You couldn't get the designers from multiple companies to all secretly put a back door in all the processors. They won't all have been Americans/English and they won't all have worked in the America/England.

            Personally when I look at a potential conspiracy I determine how many people would have to keep quite for it to stay secret, whether they were all the same group (which can be Nationality/government/race/religion/political affiliation/secret group with a funny handshake or ring) and if it's plausible. I don't think there are many that pass this test and even then I'm still extremely sceptical. In fact the only one that is still sat as a conspiracy is JFK because there is too much conflicting information, not a clue which theory is right though though I'm leaning towards professor plum in the kitchen with the hammer.

    4. Dan 55 Silver badge

      Re: The same bug.

      Well of course they have the same bugs, they use the affected ARM CPU designs on their SoCs.

  2. mark l 2 Silver badge

    Look out for updates to Android. Haha. Unless your phone is only a few months old i doubt you will ever see a patch unless you download and flash it with a custom ROM. I bought my Android phone back at the beginning of 2017 and it came with Android 6, there were a couple of OTA updates but nothing since July 2017 and there are now 2 newer versions of Android available. The manufacturer support page doesn't want to be bothered with it any more and just tries to sell you a new phone.

    I am quite happy to flash a ROM myself but so far I haven't found one that is stable and everything working with the custom ROMS, so i am stuck on an old version which probably never get an official update.

    1. Anonymous Coward
      Anonymous Coward

      Manufacturer Support and obsolescence

      The manufacturer support page doesn't want to be bothered with it any more and just tries to sell you a new phone.

      In other words, the device is now obsolete.

      And this is on a device that is less than a year old....

      Yet all we hear about is Apple being the champion of this. Sorry Apple, you are mere amateurs.

    2. Anonymous Coward
      Anonymous Coward

      Firstly you have fallen into the trap that the mainstream media use to fool idiots. You don't need to be running the newest version of android to get the latest security updates.

      Secondly Android isn't really affected by Meltdown (which is pretty much intel only, along with a yet to be released arm design). Android doesn't really have spectre problems either, as it's hard to exploit at the best of times, but without high precision timers, it's pretty much impossible. Android has never provided an API with enough accuracy to exploit Spectre.

      The iOS bug is essentially patching it to do the same as android, restrict the accuracy of timers to apps. Mozilla are doing the same to JavaScript engine on Windows.

      Lastly, if you cared so much about security, why didn't you consider it at time of purchase? Only a true cretin would buy a product and then look at how well it's supported after handing over the money.

      1. Dan 55 Silver badge

        Android doesn't really have spectre problems either, as it's hard to exploit at the best of times, but without high precision timers, it's pretty much impossible. Android has never provided an API with enough accuracy to exploit Spectre.

        That's why Android's January security patch addresses Spectre. I wonder when most users will get that? I'm placing my bet on the 12th of never.

        The iOS bug is essentially patching it to do the same as android, restrict the accuracy of timers to apps.

        Hang on, didn't you just say Android wasn't affected?

        Mozilla are doing the same to JavaScript engine on Windows.

        And other desktop platforms and Android.

        Lastly, if you cared so much about security, why didn't you consider it at time of purchase? Only a true cretin would buy a product and then look at how well it's supported after handing over the money.

        Only a cretinous company would design an OS which is so difficult to get updates for except for a few chosen models (mostly its own).

        1. Anonymous Coward
          Anonymous Coward

          "That's why Android's January security patch addresses Spectre. "

          Yes it does, and it patches it without performance penalty, so why wouldn't Google include Linux kernel patches? However that doesn't mean if you don't have that patch that you are wide open, it means it's been closed down belt and braces, other Android devices just have the braces automatically. How hard is this to comprehend? Its even mentioned in the security blog.

      2. Justthefacts

        You haven’t read Spectre paper hard enough

        The cache invalidation is just *one bleedin’ obvious* exfiltration technique for speculative execution.

        If you read the paper properly, it says roughly this: “umm, holy crap, now we’ve thought about this, here’s one simple way to exploit it. We can think of at least a couple more techniques, but it is more important to get this paper out now fast, to fix the underlying problem, rather than waste time showing how clever we are”.

        I can think of at least one more way, off the cuff, that doesn’t use cache timing. But not stupid enough to say it out loud.

        Maybe you know that Android has some reason that too doesn’t work in practice, but I wouldn’t bet it.

  3. Paul

    So where is IBM statement about and Power8 and Power9 in this?

    1. Doctor Syntax Silver badge

      "So where is IBM statement about and Power8 and Power9 in this?"

      Writing it's been ousourced as there's nobody left in-house to deal with it. Then it goes goes to the lawyers to be reviewed.

  4. Mike 16 Silver badge

    Last word from Apple?

    IIRC, there was an announcement (or _reported_ announcement), that Apple would also patch previous versions of MacOS/OSX, back to the non-EOLed 10.11. Then that was removed/redacted/"never happened. Get with the program, Winston".

    Are they (still) planning on doing that, someday, or does the Mac user who would rather not face the dumpster fire that has been the 10.13 rollout now face the choice of that or Meltdown/Spectre.

    "Do you feel _lucky_?"

  5. Anonymous Coward
    Anonymous Coward

    Always makes me laugh when the BBC state android devices will get an update. Good luck on that one - I bet less than 1% ever see a fix.

    1. Anonymous Coward
      Anonymous Coward

      Unless you have a rare/non existent ARM device that is affected by Meltdown, then every android device is protected from spectre because android doesn't have high Res timers in userland. (Unlike iOS, which is properly affected by Spectre AND meltdown), and the iOS fix for spectre? Yep, restrict high Res timers from the userland (copy the existing android way of doing things), get what Mozilla fix for Firefox on windows is? Yep, reduce the accuracy of high Res timers in JavaScript

      Sorry to spoil your party..

  6. Robert Heffernan

    3-Letter Organisations

    I bet there are 3-Letter organisations around the world currently spitting chips that their backdoor has been found and is being patched.

  7. Ken Moorhouse Silver badge

    Fly by wire

    All this talk about imperfection in CPU design glosses over the fact that there are other issues which will occasionally rear their head e.g., row hammer.

  8. Hans 1 Silver badge
    Happy

    For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled.

    Qualcomm have understood this lesson, why has Intel frayed away ?

  9. Anonymous South African Coward Silver badge

    Lovely news. Getting better all the time.

    Bets on who'll be next, and what the next security nightmare will be?

  10. Haku

    Online fraud.

    Banks must be secretly rubbing their hands with glee, another reason to reject fraud claims - they can basically say your credit card details got ripped off because you've been been buying things online with it using a computing device with an 'insecure CPU'...

    1. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019