Trend Three
More high-severity vulnerabilities are being found in mobile operating systems
Vulnerabilities are the ‘lurking culprits’ within your mobile enterprise. These weak points are either flaws in the OSs or flaws in apps that third parties can exploit to gain access to devices and the valuable data they contain.
High-profile vulnerabilities (and exploits)
August 2019 was an unexpected wake-up call for many. In the space of a month, multiple iOS vulnerabilities were reported, including one that allowed an attacker to read files off an iOS device without any interaction from the end user. When the patch was released in iOS 12.4, it was quickly discovered that Apple had also reopened a previously patched jailbreak vulnerability. For a period of time, there wasn’t really a secure iOS version available and users just had to pick their poison until the next patch was released. All of this followed the group FaceTime bug discovered in February, which allowed bad actors to eavesdrop on conversations.
Apple, which is widely regarded as a producer of some of the most secure devices in the industry, is quickly losing this reputation. iOS exploits have become common enough that Zerodium, a zero-day exploit broker, is offering more for Android hacking techniques than for iOS. This isn’t to say that breaking into an iOS device or any other type of mobile device is easy — zero-click iOS attacks are still valued at around $2 million.
In addition to these platform vulnerabilities in 2019, there was a major vulnerability affecting one of the world’s most popular messaging apps: Whatsapp. This vulnerability let malicious actors remotely install spyware on a still-unknown number of affected phones merely by making a call to a device. Wandera data showed that even six months after WhatsApp urged its 1.5 billion users to install a patched version in May, more than one in 15 users hadn’t updated and remained susceptible to attack. These vulnerabilities are often used to target high-profile individuals. In a noteworthy example, it was revealed that the WhatsApp vulnerability was used to exfiltrate large amounts of data from Jeff Bezos’ phone.
Security patch uptake is (absurdly) slow
The string of iOS vulnerabilities that occurred in August brought to light the threat posed by outdated operating systems. Manufacturers release frequent updates for their OSs that contain not only performance improvements, but important security patches for vulnerabilities that may have active exploits. The issue is that Apple’s updates combine security patches with feature updates, and the notifications informing users of an available software update can be ignored. By way of basic human nature, some users will hold off on installing the latest software update due to the time it takes for the device to turn back on, while others will hold off for a variety of other reasons — the key takeaway here is that there is still a general lack of awareness around the importance of the security patches included in these software updates.
Google, on the other hand, rolls out security patches and feature updates separately for Android. However, these updates aren’t always reaching devices in a timely manner since they are often delayed by manufacturers and carriers.
While IT departments have struggled to get a handle on managing mobility, the percentage of out-of-date operating systems has been trending down on Android, but up on iOS. Wandera informs admins of out-of-date devices and what they are vulnerable to, and encourages them to update these devices. This decrease might also be due to both increased visibility into detailed vulnerabilities per platform and better upgrade notifications and processes instituted by device manufacturers and organizations.
User-introduced risks
Vulnerabilities don’t always just happen to users — sometimes devices are made vulnerable by users, whether intentionally or unintentionally. Jailbreaking and rooting are risky configurations that allow users to gain access to the operating system of a device and enable the installation of unauthorized software functions and applications. These tactics are also popular among users trying to free their devices from carrier locks.
Surprisingly, one of the simplest security measures available on a mobile device is still often neglected: the lock screen. Despite the lock screen setup being active by default on most devices, some users are going out of their way to disable it, leaving their devices more vulnerable if theft occurs.
Recommendations for reducing the exposed surface area caused by mobile vulnerabilities
It’s not always practical or realistic to make sure every single device in your fleet is on the latest OS. Not all outdated versions pose the same degrees of risk. However, if you have the right security and device management solutions in place, it’s possible to detect out-of-date OSs by severity rating and enforce a strict policy regarding the installation of critical updates.