New report shows million of enterprise mobiles are open to attack

Security firm Duo Security estimates 20 million enterprise mobile devices are at risk of cyber-attacks.

Apple's iPhone
Apple's iPhone

Duo Security has released a new report today detailing how an estimated 20 million enterprise mobile devices are at risk of cyber-attacks, owing to both the device no longer being supported by the manufacturer and using old firmware that hasn't got the newest security patches.

Citing a Verizon report that says that 95 percent of data breaches are caused by compromised user credentials, Duo wants to raise awareness of the importance of keeping mobile devices upgraded, not just to get the latest features but also to protect against new malware threats.

Compiling the report with an analysis of more than one million actual iOS and Android mobile devices users in enterprises, the key findings reveal:

  • 80 percent of iPhone users are not running the latest iOS release
  • 90 percent of Android devices are not running the latest Android operating system
  • 32 percent of Android users are running version 4.0 or older, leaving them susceptible to known malware like Stagefright
  • 1 in 20 Android devices have no password on the lock screen
  • An estimated 20 million enterprise mobile devices are no longer supported by the device manufacturer and therefore cannot be updated to the latest version of software to protect them against new malware

To put these numbers into context, security company Intego wrote a blog post about the 50 security patches that were done in iOS 9.2, and similarly, Android Fansite Android Police blogged about the latest security patches in Marshmallow 6.0.1 and compiled a list of 12 security patches.

Michael Hanley, head of program management at Duo Security's Lab Team, spoke to on what attacks are out there to match all of these security holes. “It's important to remember that not every minor release of an operating system fixes catastrophic bugs, however, this update does contain some potential information disclosure bugs where an attacker can cause Siri to provide information hidden from the lock screen in notifications such as text messages. This could cause Siri to read a private text message to an unauthorised recipient without unlocking the phone," he said. 

He went on to explain, “The more disturbing underlying trend here is actually that in all cases, users are slow to uptake on security updates, even on platforms such as iOS where the process is quite streamlined. In fact, some of our prior research suggests that users are so slow to install minor iOS updates, many of which fix major security issues, that often fewer than 10 percent actually install these updates in the first week they're available. While it's great that Apple can report greater than three-quarters of iPhones are running a version of iOS 9, this misses the details beneath the surface that many are missing tens of bug fixes contained in the minor updates such as iOS 9.1 and 9.2.”

While the full findings are concerning, Duo asserts that visibility and insight into the state of these devices is a powerful first step in securing the enterprise. “IT administrators need to gain visibility into the health of all devices accessing their critical applications so that they can better protect these apps and at the same time improve the overall hygiene of all the devices,” said Ash Devata, VP of product at Duo Security.    

Duo recommends that IT professionals implement the following measures to reduce the risk of compromised mobile endpoints:

  • Establish basic mobile device security policies for the company and get buy-in from business managers
  • Enable all employees to use passcodes and fingerprint screen locks to prevent trivial access to sensitive data on mobile phones
  • Consider excluding phones that are jailbroken or rooted from access to corporate data and systems
  • Provide helpful tips and reminders to users to check for updates on personal devices accessing company data
  • Update or replace outdated hardware in use in the enterprise that may no longer be supported with security updates by the manufacturer
  • Recommend that employees using Android devices consider Nexus handsets with more frequent and direct platform update support
  • Address common update issues up front with guidance on problems related to updating mobile devices, such as providing tips on freeing space for updates
  • Encourage users to update during downtimes such as at dinner or before bed

Urging users to put a password on their lock screen, Hanley said that if you don't, “There is a 1 in 20 chance that an attacker can pick up an Android device and have unfettered access to all of the applications and stored data on the device since it lacks the basic protections that would keep an unauthorised user out of the phone.”

Hanley said that, “We would recommend that users at least consider a PIN or passcode solution on devices that support it, if not taking advantage of newer and easy to use mechanisms such as TouchID to secure access to their devices from physical attackers.”