Wannacry? Cry Over The Complexity Of Mobile OS Updates
A Patchwork of Complexity
Last week the globe was still reeling following the WannaCry ransomware attack. The malware wreaked havoc on computer systems around the world, locked data from users and crippled services. Reports citing its impact on patient care at NHS hospitals humanized the story in a way that cyber security attacks seldom do. Since then, worldwide incident response teams have worked diligently to prevent further damage.
One consequence of the incident is a heightened awareness at board room and executive level on the dangers of relying on old systems and of the risks of delaying software upgrades.
So it’s likely that in the future we’re going to see more scrutiny of how organizations ensure that their systems get the most up to date protection available. And evitability attention will extend beyond Windows PC’s to today’s most widely used computing devices – smartphones and tablets.
At any point in time circa one-third of Apple devices operate using an older version of IOS. In the case of Android, the picture is far worse – it is estimated that only 2% of devices at any point in time have the latest security updates in place. Looking at the US specifically a recent report found that 71% of devices were running on security patches at least two months old.
The process required to keep enterprise mobile device software up to date is fundamentally different from that used for Windows machines. In the latter case, Microsoft provides a release, which the enterprise then applies. In contrast, the distribution of software to mobile devices is controlled by a combination of carriers, manufacturers and end users.
Because Apple creates both the hardware and the software for their devices the upgrade process is relatively simple. Apple releases a major iOS upgrade in September each year and distributes it directly to end users. There will be a number (3-5) point releases throughout the year and for each point release, there will be a small number of revision releases. The releases are designed to add new features, correct bugs, and remedy security vulnerabilities. A couple of clicks by the users and the new version of the software is installed.
Why then are one-third of iOS devices running out of date software? There are a range of reasons. Software updates simply aren’t available for iPhone and iPad models more than 4 years old. Inertia causes many users to delay installing upgrades; other users are reluctant to upgrade until the new release has been thoroughly road tested by early adopters. In the enterprise context, an organization may delay upgrading until critical apps have been adapted to support the new version of the operating system.
We recommend that organizations do two things to address this situation. Firstly, if you are using a Mobile Device Management system (MDM), be it an iOS MDM or an Android MDM, it should be possible to force upgrades i.e. have an installation happen without user action. Second, you should have a device life cycle approach in place that ensures that the fleet only contains supported devices.
There are of course practical reasons why such actions may not be feasible and that is why organizations who care about the integrity of their mobile device fleet should consider the additional protection that mobile threat defense software such as Corrata offers.
Android – it’s complicated
Android is a whole lot more complicated due to the fact that the there are several players along with Google involved: the semiconductor companies (e.g. Qualcomm) who make the chips that run the phone, the device manufacturers (e.g. Samsung) who design, build and market the phones and the carriers (e.g. Verizon, Vodafone) who sell the phones.
The process runs something like this. When Google releases a new version of the Android operating system the semiconductor makers modify the new software so that it works correctly on with their chips. The device manufacturer will then take the software and modify it further to incorporate features that are exclusive to its phones. Finally, the manufacturer and the operator will work to certify that this new version of Android will perform correctly on their network. Once completed, the update is pushed to devices. At this point, the user will have the option to upgrade or not. Effectively there are four steps required to get to the situation that Apple manages in one single step. It’s unsurprising then, to discover that according to Google, only half of Android devices installed a security update in 2016.
On the face of it, you would think that the market leader Samsung would be in a position to outperform this average. In fact, the opposite may be the case. Take Android 7.0 (Nougat), for example. Samsung only began making this software available on its flagship phones in January 2017 – five months after its original release. Popular older models such as the Samsung A3 have not yet received a Nougat update.
Mobile threat defense
We are living in a world where the lack of control over patching has left the security systems of many mobile devices vulnerable. If you have Android devices at your organization you need to understand that they could well be running operating system versions that are six to twelve months out of date. Even with iOS you’re likely to have at least some of your devices months behind the latest releases. If mobile security is a concern for your organization you should consider the added protection which mobile threat defense software like Corrata offers. By blocking suspicious traffic to and from the device mobile threat defense offers a safety net against unpatched vulnerabilities in the operating systems as well as against risks originating from network, malware and social threat vectors.