Researching Windows 10 Mobile phones and Spectre vulnerabilities

Published by at

Microsoft's patches for all supported branches of Windows 10 Mobile a few days ago were much welcomed, more of a show of force in the industry in the face of media concern over Meltdown and Spectre chip vulnerabilities, but the reality is that there was very little to worry about. Only a handful of phone models had the vulnerable chipsets and the attack vector even before the patches was infinitesimal. Note that, in my research, I also tried (and failed) to find evidence of any OS slowdown.

The security vulnerabilities which have even made the mainstream media this week involved ways of malicious software leveraging how modern, optimised chipsets work in order to gain access to information from other programs on the same phone/computer/tablet. But 'Don't panic!' has never been more appropriate since the chances of anyone breaching your privacy on any phone, let along a Windows device, is vanishingly small.

Let's start with the ARM processors used in the most popular Windows-based smartphones of the last few years. ARM chips are much less vulnerable to Meltdown and Spectre, happily (most of the problems are on the desktop, with Intel chipsets) - in fact, only a handful of the top end ARM-designed processors are affected at all, as ARM itself says and as my table below demonstrates:

Most used chipsets Used in Contains Vulnerable* to Spectre
speculative execution
and side-channel attacks?
Snapdragon 210/212 Lumia 650, Wileyfox Pro 4 x Cortex A7 No
Snapdragon 400 Lumia 640, 640 XL, 735, 830 4 x Cortex A7
& 2 x Krait 300 
Snapdragon 800 Lumia 930, 1520 4 x Krait 400 No?
Snapdragon 808 Lumia 950

2 x Cortex A57

& 4 x Cortex A53

Snapdragon 810 Lumia 950 XL

4 x Cortex A57

& 4 x Cortex A53

Snapdragon 820 Alcatel IDOL 4S/4 Pro
& HP Elite x3
4 x Kryo No?

* Theoretically vulnerable, at least - the chances of happening to stumble on malware in the Microsoft Store that had somehow slipped through the net AND of the phone having not been already offered the January 2018 security patches is almost zero. [Update] I've added the '?' against some entries because, as you'll see in the comments below, there's some uncertainty as to how much Qualcomm changed the ARM reference designs when it came out with the Krait and Kryo variants. Only Qualcomm knows whether these chips are technically vulnerable and it's not saying (yet)!

So nothing to worry about on the whole then. The only Cortex chip to be affected that's used by any Windows 10 Mobile phone is the A57 and the OS itself has been patched for all to stop exploits.

Battery bay

The Lumia 950 XL has four 'vulnerable' processor elements, but don't worry since Microsoft has you covered in terms of OS updates and Store monitoring...

One element of concern in the press was the effects of OS patching across the board to eliminate speculative execution, i.e. our computers, tablets and phones would slow down. I did do some testing on my phones before and after the recent patches, with inconclusive results. Here's a typical set, taken from the lowly Wileyfox Pro*:

Fastest times Before Jan 2018 security patch After the patch
Store opening with all graphics loaded 10.6 10.5s
News opening with all graphics loaded 8.3 8.4
Planning route in Maps from Reading to Aberdeen 15.6 15.0

* I guess it would have made most sense to do this on the stated 'vulnerable' 950 XL, but in my haste to apply the patch to that I clean forgot to benchmark anything. Oh well. Anecdotally, I've hammered the 950 XL today and I can't notice any slowdown beyond its normal UI speed.

From looking around the tech world, it seems that patching for Meltdown and Spectre has different impact on performance depending on platform and load, as you'd expect. A server which is already running at 90% load might be hit in a big way, with 20% performance drop, for example**, but an end user computer or phone, with the chipsets only used to a fraction of their potential most of the time and with bottlenecks on SSD speed, card access, RAM and bandwidth, then any performance hit from the new 'safer' OS code is negligible.

Especially under Windows 10 Mobile.

** Some sites have been running benchmark utilities on various platforms, but these are demonstrably unrepresentative of a user's experience.

PS. If anyone reading this has an old 950 or 950 XL in a drawer that hasn't been patched with the January update yet then please do time a few operations before and afterwards and comment below. Data points welcome!