Identifying Bad Apples: Getting to the Core of iOS Vulnerabilities
While the Android Stagefright vulnerabilities have garnered a lot of attention lately for being difficult to patch and update, these challenges aren’t unique to Android - they’re a problem for all mobile platforms.
At Duo Labs, we’re a bit more curious about the state of iOS updates. Since Apple manages both hardware and OS, we wanted to find out if the situation was better or worse than Android’s. Here’s our synopsis of our research, and recommendations for practical ways to keep your iOS devices secure.
Our Results: 50 Percent of iPhone Users Running Old iOS
We found that half of all iPhones in use today are running iOS 8.3 or lower, which was released 5 months ago. That means they're missing updates addressing over 100 known vulnerabilities that were fixed in iOS 8.4 and 8.4.1.
Half of all iPhones run iOS 8.3 or under, missing 100 known vulnerability fixes that were patched through iOS 8.4.1.
In this rapidly changing mobile space, lagging behind by two versions can introduce way more risk than the small change in version numbers may suggest.
For the IT professional, this is a major concern. Why? Because two significant holes were patched in 8.4.1:
- Ins0mnia allowed apps to violate background app rules in order to steal data or drain device batteries.
- Quicksand exposed enterprise credentials and sensitive configuration details, storing them in an unprotected iOS directory
Thirty Percent Running Even Older iOS
Our data also shows that 31 percent of all iPhones are running iOS 8.2 or lower, meaning they’re missing out on security patches for over 160 vulnerabilities. Another 14 percent of all iPhones are running a full version behind - iOS 7 or below.
All it takes is one vulnerable device accessing your network to put your entire organization at risk of a data breach. But with visibility into the types of risky devices accessing your network, you can create and enforce data-driven policies to secure your company.
Visibility and Controls for a Mobile-First Security Strategy
Compare it to standard desktop computers - we know better than to let a desktop computer run on a corporate network if it was several months (if not years) behind on security updates.
We need to start thinking about mobile devices in the same way. Mobile devices aren’t usually subject to the same level of scrutiny, partly due to the lack of insight into the health and security risks of these devices.
Most corporate users have very little or no visibility into the types of smartphones used to access corporate networks.
The increasing adoption of Bring Your Own Device (BYOD) requires ongoing security policy updates to reflect new classes of devices. Setting expectations for software updates on devices that access corporate data is a great start.
At Duo, we believe in shifting a larger focus on mobile device security. Our Duo Access offers IT admins visibility into all mobile endpoints accessing their corporate resources. Visibility is key to enabling our customers to create controls and policies that work for their specific environments, and to protect against risks introduced by out-of-date mobile phones.
We hope that publishing this data will encourage organizations to have conversations about mobile devices and access security earlier and more often.
Twenty Million iPhone Users Can’t Receive Security Updates
A lot of users are running old hardware - in some cases, five-year-old hardware that is no longer supported by Apple. That means these old devices aren’t capable of patching against new vulnerabilities.
As smartphones and tablets become more powerful, it gets harder for manufacturers to shoehorn new OS versions into old hardware that has limited memory or processing power.
This is true across the board for all vendors, from Apple to Android to Windows. On smartphones, the OS reaches a point where it no longer can receive new feature or security updates. Another example is when Microsoft stopped issuing patches to Windows XP in early 2014. Since a lot of corporations still used old machines and couldn’t or wouldn’t upgrade them, there was a public outcry.
But most corporate users have very little or no visibility into the types of smartphones used to access corporate networks.
Based on our estimates, around 20 million iPhones are running on hardware that can’t receive security updates. In some cases, there are iPhone 4 devices running 7.1.2, but there are even older devices running even older iOS versions. That’s a huge risk to enterprise environments.
As the graphic shows, the oldest platform Apple still supports is iPhone 4s, which the company will still support in iOS 9. But if this version was dropped from support tomorrow, the estimated number of devices that can’t receive security updates would jump to 60 million.
Unfortunately, the user can’t do anything to improve their security posture other than replace their outdated device. In addition to a BYOD policy, organizations should also create explicit rules about what kinds of devices are permitted.
For users with outdated devices, they’re likely using them innocently without any clue that they’re introducing significant risks to their company.
Far Too Slow-to-Security
To make things worse, users are typically slow to run updates on their devices. When iOS 8.4.1 was released to patch over 70 vulnerabilities, including Ins0mnia and Quicksand, only 9 percent of users updated to the latest version.
Again, user awareness here is key - the goal is to update as soon as updates are available on their device.
Protecting Against Outdated and Unpatched Devices
Here’s a few practical tips to address these issues in your organization:
- Educate your users on the importance of running updates. Keeping phones up-to-date is just as important as it is for any other endpoint. Building awareness and sharing update tips with your users can make a huge difference in their behavior.
- Offer tips on how users can streamline the update process. For users like me, their phones are full of music, funny cat photos and videos, so they may not have the free space required to run updates on their phone. Tell users to clear space on their phones to support updates or connect phones to a computer with iTunes in order to run a quick update that requires less free space.
- Help users find convenient times to update. We like updates at dinner time - a great opportunity to put the phone down and enjoy a meal with family and friends. This also addresses other concerns about running updates at night (and potentially missing a wake-up alarm) or during the work day when the phone is in use.
Stay tuned to our Duo Labs blogs as we continue our series of analytics and important security findings and share them with the broader community.