Press ReleaseSeptember 8th, 2015
Duo Security Research Reveals Half of Apple iPhones on Corporate Networks Run Out-of-Date Versions of iOS
Unpatched and end-of-life iOS and Android mobile devices creating significant risk for enterprise networks
Duo Security, a cloud-based access security provider protecting the world’s largest and fastest growing companies, today announced results from a Duo Labs research study focusing on mobile devices on corporate networks. Unpatched and end-of-life devices that are no longer supported by the manufacturer are much more prevalent than expected and create significant risk for corporate networks. The Duo Labs research draws on data gathered from thousands of customer deployments in more than 150 countries worldwide.
Key findings of the survey include:
-About half of Apple iPhone users are currently running outdated software (version iOS 8.3, released in April 2015, or earlier), leaving them exposed to several hundred documented vulnerabilities, including the Ins0mnia vulnerability which attackers can use to surreptitiously steal data from phones using hidden applications.
-Five days after the release of iOS 8.4.1, which addressed over 70 documented critical vulnerabilities (including Quicksand and Ins0mnia), only nine percent of the phones had been updated to the latest release of iOS software.
-31 percent of iPhones are still using iOS 8.2 (released in March 2015) or an even older version of iOS, meaning they lack updates that address over 160 known critical vulnerabilities, including a Masque Attack, where a malicious app can masquerade as a legitimate app.
-Of the 700 million-plus iPhones that Apple has shipped since 2008, Duo Labs research suggests that at as many as 20 million of these end-of-life iPhones may still be in service, but cannot be updated to current versions of iOS. This leaves organizations exposed to literally thousands of vulnerabilities -- many of the highest severity.
-On the Android platform, there are still significant security risks from the recently reported Stagefright vulnerability. We estimate that about 10 percent of Android devices remain exposed to this vulnerability because they are on older versions that are no longer being updated.
“Most companies today would never allow unpatched personal computers on their networks. Yet there is a double standard when it comes to mobile devices,” said Dug Song, CEO and co-founder of Duo Security. “Personal mobile devices are now de facto corporate devices. So companies need to review their policies on software patching and updates to reflect this new world of bring your own device (BYOD) to work. Companies can secure their networks with two-factor authentication and a wide variety of other security solutions, but unpatched devices still create significant risk for enterprise IT departments and network security.”
Duo Labs is a major contributor to info-security research. The team revealed the disclosure of a bypass in PayPal’s two-factor authentication and a similar bypass of Google’s two-factor authentication. In addition, Duo Labs has been on the cutting edge of authentication security, launching tools such as VPN Hunter and Did I Get Gawkered?
About Duo Security Duo Security is a cloud-based access security provider protecting the world’s fastest-growing and largest companies and thousands of organizations worldwide, including Box, Etsy, Facebook, K-Swiss, Palantir, Paramount Pictures, Random House, Toyota, TripAdvisor Twitter, Yelp, Zillow, and more. Duo Security’s innovative and easy-to-use technology can be quickly deployed to protect users, data, and applications from breaches, credential theft and account takeover. Duo Security is backed by Benchmark, Google Ventures, Radar Partners, Redpoint Ventures and True Ventures. Try it for free at www.duosecurity.com.
Sally Feller Lanier