The California tech giant picked the favored Friday US West Coast afternoon “news dump” slot to admit at least some of its billions of Arm-compatible Snapdragon system-on-chips and newly released Centriq server-grade processors are subject to the Meltdown and/or Spectre data-theft bugs.
“Qualcomm Technologies, Inc is aware of the security research on industry-wide processor vulnerabilities that have been reported,” a spokesperson for Qualcomm told The Register on Friday.
“Providing technologies that support robust security and privacy is a priority for Qualcomm, and as such, we have been working with Arm and others to assess impact and develop mitigations for our customers.”
The spokesperson continued:
We are actively incorporating and deploying mitigations against the vulnerabilities for our impacted products, and we continue to work to strengthen them as possible. We are in the process of deploying these mitigations to our customers and encourage people to update their devices when patches become available.
Qualcomm declined to comment further on precisely which of the three CVE-listed vulnerabilities its chips were subject to, or give any details on which of its CPU models may be vulnerable. The paper describing the Spectre data-snooping attacks mentions that Qualcomm’s CPUs are affected, while the Meltdown paper doesn’t conclude either way.
Qualcomm uses a mix of customized off-the-shelf Arm cores and its homegrown Arm-compatible CPUs in its products, which drive tons of Android-based smartphones, tablets, and other devices. A selection of Arm Cortex-A and Cortex-R CPU core designs are vulnerable to the CVE-2017-5753 and CVE-2017-5715 Spectre vulnerabilities, but only one – the Cortex-A75 – is also vulnerable to the easily exploitable CVE-2017-5754 Meltdown flaw. The A75 is not in any shipping product at the moment.
Qualcomm will use that A75 core for its Snapdragon 845, while other Snapdragon lines list the A53 and A72, which are only vulnerable to the two Spectre variants. As we said, Qualcomm uses a mix of custom and off-the-shelf cores; they are probably affected by Spectre, and maybe Meltdown. Qualy won’t clarify either way.
Apple, which too bases its iOS A-series processors on Arm’s instruction set, said earlier this week that its mobile CPUs were vulnerable to Spectre and Meltdown – patches are available or incoming for iOS. The iGiant’s Intel-based Macs also need the latest macOS, version 10.13.2 or greater, to kill off Meltdown attacks. Spectre also needs to be patched in macOS at some point.