Information about vulnerability of Toradex System on Modules to Speculative Side Channel Attacks aka Meltdown and Spectre
Google research found an issue in many modern processors which can allow programs to access protected data. This could enable potential attacker software to defeat memory access controls and get access to confidential and sensitive information such as passwords.
There are three different variations of the vulnerability; CVE-2017-5753 and CVE-2017-5715 called “Spectre” and CVE-2017-5754 known as “Meltdown”.
For more details about the vulnerability, please visit: https://spectreattack.com/
Is my Toradex System on Module affected?
|Toradex Products||Arm Core||Variant 1
|Cortex®-A5||Not Affected||Not Affected||Not Affected|
|Cortex®-A7||Not Affected||Not Affected||Not Affected|
|Apalis TK1||Cortex®-A15||Affected||Affected||Not Affected|
|XScale®||Not Affected||Not Affected||Not Affected|
The Cortex®-M4 Cores on the Colibri VF61, Colibri iMX7, and Apalis TK1 are not affected.
What is Toradex doing to patch the vulnerabilities?
These vulnerabilities can be fixed via software patches. As this issue affects the Arm Cores, Arm® is leading the efforts. For the most up to date information about the current status, please check: https://developer.arm.com/support/security-update
Toradex is working with NXP® and NVIDIA® to integrate the software patches in the Linux Board Support Packages (BSPs) provided by Toradex.
NVIDIA also provides public information about the status of the TK1 SoC, please see: http://nvidia.custhelp.com/app/answers/detail/a_id/4616
Toradex is in contact with Microsoft regarding patches for Windows Embedded Compact. We will provide updates as soon as we have a roadmap.
Is my product at risk?
To exploit these security vulnerabilities, a carefully crafted malware must be loaded onto the system. On many embedded systems, the OEM is controlling the software which can run on the system which reduces the risk. The high degree of customizations and relatively low volumes of embedded systems make a large general attack unlikely. We are not able to give a general recommendation, and you will need to assess the risk for your particular device depending on the use case. In general, it is recommended only to allow authenticated software to be executed.
We will proivde future updates via our Developer Center.