Meltdown and Spectre: very few enterprise mobile devices are patched, and many will never be

The Meltdown and Spectre bugs have been in the headlines for a couple of weeks now, but it seems the patches are not being installed on handsets. Analysis of more than 100,000 enterprise mobile devices shows that just a tiny percentage of them have been protected against the vulnerabilities -- and some simply may never be protected.

Security firm Bridgeway found that just 4 percent of corporate phones and tablets in the UK have been patched against Spectre and Meltdown. Perhaps more worryingly, however, its research also found that nearly a quarter of enterprise mobile devices will never receive a patch because of their age.

See also:

• Malwarebytes warns that fake Meltdown and Spectre patches are being used to spread Smoke Loader malware
• Spectre patch in iOS 11.2.2 is slowing down iPhones
• Intel promises transparency as Meltdown patch causes reboot problems with Broadwell and Haswell chips
• Intel releases benchmark results detailing Meltdown patch performance slowdown

Bridgeway carried out its research across private, public and third-sector organizations in the UK using its IronWorks mobile management system. It found that -- looking across iOS and Android -- 72 percent of devices are vulnerable to Meltdown and Spectre. Despite the fact that patches have been available for a week now, it was discovered that a mere 4 percent of phones and tablets have them installed.

What is perhaps worst news is the fact that 24 percent of enterprise devices will never be protected against the critical vulnerabilities. The age of these devices means that patches are not being developed. As time goes by, and further details about how to exploit Meltdown and Spectre emerge, there is a very real danger that these devices will be at risk of attack.

Jason Holloway, managing director of Bridgeway, is concerned:

In 2017, the global damage caused by ransomware attacks highlighted the importance of quickly patching vulnerabilities, to mitigate the risks of attack and data loss. Mobile devices, although equally at risk as traditional PCs and servers, may not have been top of the IT department's priority patch list, but with increasing amounts of sensitive corporate data being stored and accessed from these devices, they should be.

It's worrying that only 4 percent of organisations have applied updates to protect their devices against Meltdown and Spectre: it means the majority of companies are needlessly exposing their users, devices and more importantly, corporate data, to the risk of interception and exfiltration. Mobile devices are the new target for hackers, who will be looking to exploit these flaws as quickly as they can. Organisations need to patch their mobile devices now, before they can be targeted.

Organizations are advised to check for the availability of patches for their devices, and to install them as soon as possible. Older devices that will never be patched -- older than Marshmallow, for example -- should be replaced to ensure security, says Bridgeway.