Summary
Critical vulnerabilities within several CPUs have been identified by security researchers. These hardware vulnerabilities allow programs to learn about the contents of a system's memory, using side-channel attacks. Potential attack vectors against these vulnerabilities have been published and dubbed Meltdown and Spectre.
While programs are typically not permitted to read data from the OS kernel or from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in kernel memory or the memory of other programs executed on the same CPU.
As a consequence, an exploit could allow attackers to get access to any sensitive data, including passwords or cryptographic keys.
Impact
Pepperl+Fuchs analyzed ecom Instruments devices in respect of Meltdown and Spectre attacks. To our current knowledge only i.roc Ci70-Ex, Cx70-Ex, CT50-Ex, Pad-Ex 01, Tab-Ex 01, Smart-Ex 01, Smart-Ex 201, Ex-Handy 09, Ex-Handy 209 are potentially affected by these vulnerabilities.
In order to exploit these vulnerabilities, an attacker needs to be able to execute arbitrary code on the CPU of the target system.
ecom mobile devices are normally used in the corporate network. This implies that outgoing connections and local software installations have to be configured by administrators. If these steps are taken, this greatly reduces the risk of unwittingly accessing malicious content and executing unknown code, e.g. by accessing a website that was prepared by an attacker.
However, if a malicious website is accessed, an attacker could gain knowledge of all data in the memory of the mobile device, including passwords.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| CT50-Ex | Windows 10 IoT Mobile <68.01.15 | |
| Cx70-Ex | Windows Embedded Handheld | |
| Pad-Ex 01 | Windows Operating Systems | |
| Smart-Ex 01 | Android <09/2018 FOTA-Update | |
| Smart-Ex 201 | Android <10/2018 FOTA-Update | |
| i.roc Ci70-Ex | Windows Embedded Handheld |
Vulnerabilities
Expand / Collapse allRemediation
Android
Pepperl+Fuchs has released firmware updates for the following products:
| Product | Date | Update Source |
|---|---|---|
| Smart-Ex 01 | Available since 09/2018 | FOTA-Update |
| Smart-Ex 201 | Available since 10/2018 | FOTA-Update |
Microsoft Windows
Customers using ecom mobile devices from the following product families:
- i.roc Ci70-Ex
- Cx70-Ex
- CT50-Ex
- Pad-Ex 01
should follow these guidelines:
- If preconfigured server connections or websites exist, restrict them to secured and trusted servers.
- Use secure protocols such as HTTPS.
- Restrict end users so that they can only use the system as configured by administrators.
- General access to web pages should be protected through:
- Kiosk mode
- Mobile Device Management (MDM)
- Additional security software
- Ensure that whitelisted websites do not redirect to untrusted servers or websites.
Pad-Ex 01 with Microsoft Windows OS
- Microsoft offers security patches, downloadable directly from the Microsoft website.
CT50-Ex
- Fix available in versions:
68.01.15,69.01.15,70.01.15,71.01.15 - Windows 10 IoT Mobile patch from Microsoft is available.
i.roc Ci70-Ex and Cx70-Ex
- Mitigation via security controls — see additional resources:
Windows Mobile 6.5 Network Security Guide (Honeywell)
Please note: Microsoft security patches directly affect machine code execution on the CPU. Installing these patches might impact system performance or stability.
This advisory will be updated as further details and/or software updates become available.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 06.07.2018 16:47 | Initial revision. |
| 1.1.0 | 23.10.2018 12:00 | Firmware for Android based devices now available. |