1 (edited by drexful 2018-01-14 21:18:43)

Topic: Spectre Exploits - Chumby vulnerability

Is there going to be a firmware update for the Chumby, Infocast, and Sony devices to mitigate the Meltdown and Spectre exploits?

Linux has patches available now for most distros.. Will Blue Octy follow suit?

I have recently moved all of my devices to my guest network and updated my firewall signatures; but feel that isn't enough. I don't want to use the same passwords on my devices to connect to the internet now. Not a big fan of stolen PKI, passwords, and such.


Owner of three C1's, Infocast 3.5, Sony Dash C10, and Infocast 8. A tinkerer at heart and IT director by trade.

Re: Spectre Exploits - Chumby vulnerability

I wouldn't be holding my breath.

Cleaning up any loose bits and bytes.

Re: Spectre Exploits - Chumby vulnerability

I would be very surprised if the ARMv5 based chips is vulnerable (eg the Freescale ARM926EJ series as used in the CC, C1 (what I have), I3.5).  The C8 and I8 use another ARMv5 chip (Marvel ARM9 based) so won't be vulnerable either.  ARM claim only the newer Cortex chips are at risk and nothing else; https://developer.arm.com/support/security-update - so your Chumby's and Infocast machines are safe from this.

The Dash uses a MIPS chip.  I can't find any definitive information around this series of chips and impact from Spectre.  I see speculation that the 24K is likely to be immune ( https://plus.google.com/+AlanCoxLinux/posts/ck4Ueaxm9mC ) but the "MIPS Classic" ( https://www.mips.com/products/classic/ ) claims the 24K can do branch prediction.  So I'm not sure.  Given the Sony signing requirement, there's probably nothing that can be done about it, anyway, at the kernel level!  Do any of the browser components do JIT javascript compilation?  If not then the most likely attack vector won't work.

Personally I think the risk of an attack on the Dash is vanishingly small.

You can see what device uses what CPU core at http://wiki.chumby.com/index.php?title= … by_devices

Re: Spectre Exploits - Chumby vulnerability

sweh is correct - none of the chumby-branded devices are susceptible to Spectre due to the specific types of ARM processors used.

I strongly suspect the same is true for the dash.  In any case, the QT browser used by the dash does not do any JIT for Javascript.