RM Logo
Technical Rating: 
Support Home PageSupport
Print This PagePrint This Page
Add to 'My Library' Add to 'My Library'

Protecting Chromebooks / Android devices from Spectre / Meltdown vulnerabilities
Published Date : 15 Jan 2018   Last Updated : 25 Jan 2018   Content Ref: TEC6046757  





Symptoms

Google's stance

The following is Google product's status on mitigations against CPU speculative execution attack methods:
https://support.google.com/faqs/answer/7622138?vid=0-289501461467-1515679584046

Product

Mitigation status

Google Chrome OS (Chromebooks, etc.)

Chrome on Chrome OS includes the Chrome browser mitigations mentioned above, including Site Isolation.

Chrome OS versions prior to 63 are not patched. To check the update status for your specific model, see this page. Chrome OS operating system started receiving version 63 on 15/12/2017.

'Chromebox for Meetings' devices run only trusted code from Google and are not at risk from this attack.

Intel Chrome OS devices on kernels 3.18 and 4.4 are patched with Kernel Page Table Isolation (KPTI) in Chrome OS 63 and above.

Older kernels will be patched with KPTI in a future release. Known attacks do not affect existing ARM Chrome OS devices, but these devices will also be patched with KPTI in a future release.

Android

On the Android platform, exploitation has been shown to be difficult and limited on the majority of Android devices.

The Android 2018-01-05 Security Patch Level (SPL) includes mitigations reducing access to high precision timers that limit attacks on all known variants on ARM processors. These changes were released to Android partners in December 2017.

Future Android security updates will include additional mitigations. These changes are part of upstream Linux.

Google-supported Android devices include Nexus 5X, Nexus 6P, Pixel C, Pixel/XL, and Pixel 2/XL. Users should accept the monthly updates for January 2018 on Nexus or their partner devices to receive these updates. Pixel devices or partner devices using A/B (seamless) system updates will automatically install these updates; users must restart their devices to complete the installation.

Timing mitigation for ARM processors included in the 2018-01-05 SPL as CVE-2017-13218.

Other Intel and ARM Processor specific fixes provided to partners.

 
Any Chromebooks on version 63 and above are safe from the vulnerabilities.



Procedure

Checking Chromebook model

To check if the model of Chromebook is protected against Spectre / Meltdown, then please refer to the following document published by Google:
https://www.chromium.org/a/chromium.org/dev/chrome-os-devices-and-kernel-versions

The Protection State should indicate whether the model is protected, needs to be patched to operating system version 63 or is not protected/end of life.

Our current standard offering for Chromebooks is an HP Chromebook 11/14, which is generally noted as safe. HP Chromeboxes, however, will need to be updated to version 63 of the operating system.


Checking operating system version from a Chromebook

The operating system version of a Chromebook will be displayed on the top right-hand corner of the lock screen, as shown in the image below.

Image showing the Chrome OS version

To view the Chromebook operating system version from an unlocked Chromebook, follow the steps below:

  1. Click Settings and then the menu bar.
  2. Click About Chrome OS. This should display the current Chrome OS version and allows you to check for any available updates.
Image showing the About Chrome OS window

Checking operating system version from a G Suite tenancy

If you wish to check the Chromebook operating system versions of all your enrolled Chromebooks, follow the steps below:

  1. From the Admin Console, click Device Management.
  2. Click Chrome Devices.
  3. Tick the 'Search all organisations' box and then click SEARCH.
Image showing the 'Search all organisations' box

  1. Click the serial number of the Chromebook you wish to check.
  2. Click the 'Hardware and OS' tab. The operating system version is displayed.
Image showing the 'Hardware and OS' window

Exporting Chrome OS version via Apps Script

Step 1: Create new document

  1. Create a blank Google Sheets document.
  2. Click Tools and then Script Editor.

Step 2: Allow API access

  1. On the blank script page, click Resources.
  2. Click Cloud Platform project.
  3. Click the default project link which appears.
  4. In the Google Cloud console, at the top left-hand side, click the menu bar.
  5. Click 'APIs & services'.
  6. Expand ENABLE APIS AND SERVICES.
Image showing ENABLE APIS AND SERVICES

  1. Search for Admin SDK.
Image showing Admin SDK

  1. Click Enable.
  2. Close this tab and return to the Apps Script.
  3. Click Close on the pop-up window.
  4. Click Resources.
  5. Click Advanced Google Services.
  6. Toggle the Admin Directory API to 'on'.
Image showing Admin Directory API

Run the script
  1. Download the chrome_os_script.js file from the Download section below and copy all contents and paste them into the blank script page.
  2. The script will run in two parts:
    • Part 1
      1. Go to Run, 'Run function'.
      2. Click getChromebooks.
    • Part 2
      1. Once Part 1 has successfully finished, go to Run, 'Run function'.
      2. Click 'tableFill'.

Now return to the Google Sheet and all information should be there.


Checking Android security version

Any Android or Google devices which have been patched from 5 January 2018 onwards should be protected. All Google branded devices will receive this update automatically and any other hardware provider or operator should follow suit soon afterwards.

To check your latest version follow this Google article: https://support.google.com/pixelphone/answer/4457705



FEEDBACK
Did the information in this article help answer your question?
 Yes
 No
Please add any comments about this article in the box below. If you answered No then it is important you tell us why so that we can change the article if required. We can only respond if you log in to the RM Support website or provide your contact details. Note: If you need help with a technical query, please log a call online or telephone our support team.
Thank you for your feedback, which is sent directly to the RM Knowledge team. We address every message received with the intention of improving our Knowledge Library articles. If you have an unresolved technical issue, please contact RM Support.


If this article has not helped provide a solution then it is also possible to log a call...



Document Keywords: meltdown, spectre, chromebook, protect chromebook, vulnerability


Please read - important disclaimer information.
http://www.rm.com/_RMVirtual/Includes/csredirect.asp?cref=&title=Standard Content Disclaimer


Top Of PageTop of page