Wednesday, March 27, 2013

BYOD Security: Why Should I care if my OS is older?


Most people are happy with the OS they have and they rarely update when they are available too, mainly for android more than iOS.  Most people are not aware of some the serious security implications if they don’t update their OS patches and worse it affects the enterprise where they work more seriously if the enterprise does not check for the vulnerabilities of these devices.


Generally most people will not upgrade to the latest and greatest OS immediately for many reasons. This might not be true w.r.t iOS devices (iPhone, iPad etc.) because there is just one vendor for all and one OS and many a times your phone will update automatically (and that can also create issues like we had with 6.1, here is the blog on that) but this is very prevalent with Android based devices.

Even though Android pushes new updates, it won’t reach you immediately as we should wait for the same from the handset maker like Samsung, HTC, etc. who later takes these updates, incorporate these changes into their versions and then test again and then make it a general availability to its customers. It all takes a lot of time and there is a huge time gap running into few weeks if not few months between when Android release its new version to when the handset providers releases their updates. Another reason is many of us will be using an older handset, which will not support newer versions. Many a times OS makers will not provide patches for older OS but ask us to update to the newest version.

In some cases, android OS is completely fine but there are vulnerabilities that have crept in due to customizations of the OS by hand-held manufacturers and these can be exploited easily. One such example is of Samsung (with its Galaxy Tab GT-p1000) where in the vulnerabilities introduced are pretty serious and can be misused to silently perform almost any action on the victim's phone, ranging from placing phone calls to sending e-mails, SMS messages and so on. The other vulnerabilities can be misused to change other settings of the victim's phone, such as networking or internet settings, without the user's consent.


Question is, what if I delay the update by few weeks, as I am pretty happy with what I have. There is an issue, issue is far more serious than we all made to believe, unfortunately very serious one too, and let me explain why before you start disagreeing with me.

Most software especially the OS when they are released might have security holes also called as vulnerabilities, which perpetrators and cyber fraudsters will somehow figure out and take advantage of. As soon as these OS and software vendors get to know of it, will release updates, which are supposed to plug all the known vulnerabilities. Problem is we won’t keep up with these updates and many times our handset vendors don’t follow up often on these updates and worse we won’t update either. Let me explain with an example on how this can affect us.

Assume you are running a 2.1.X android and in this version of the OS, the Google services authentication tokens fly in the clear text which means people can snoop in easily and capture those tokens and hence get info on how to get into your Google services including Picasa, calendar, contacts etc. and get a whole bunch of info and can be misused greatly. Through these credentials they can get into lot more of your accounts and info and can be misused easily including getting any enterprise info you might have stored, your personal photos or even any financial information you might have stored on your device.


Of course it is fixed in 2.3.X but then if you had not known about this and did not update the OS, or if the handset makers delayed the update, cyber fraudsters could have used this vulnerability to get into the security hole easily and get your account and passwords and much more and could have created huge damage before you realize it.
This is just an example but there are much serious vulnerability which people and the enterprise might not be aware at all. Here is a recent survey report from Computer World, which said that More than 50% of devices running Google's Android mobile operating system (OS) have unpatched vulnerabilities, opening them up to malicious apps and other attacks.
These vulnerabilities will be used to the hilt to induce malware into the device, which will create havoc in the system either siphoning off your personal stuff, or when you connect into enterprise using this device, get into enterprise and create havoc there.


In August of 2012, Google introduced stricter rules for applications on its Android mobile OS to reduce the number of malicious apps in the Google Play app market and improve its reputation. The revised Google Android developer policy includes new rules on app naming and a ban on apps that disclose personal information without permission.

Prior to this tightening of Google Play regulations, 100,000 Android devices in China were affected by a Trojan malware, called MMarketPay.A. The virus, hidden in applications, which appeared to be legitimate, was designed to purchase apps and content without the consent of the device user, running up high mobile bills. Additionally, at the beginning of September, an Android SMS malware firm was fined £50,000, by the UK premium phone services regulator PhonepayPlus. The company, SMSBill, produced a malicious Facebook link that led to malware being downloaded onto Android smartphones.
If this is all about the OS and its vulnerabilities, same goes with the apps too which are residing on the device. Getting a check on the malwares and vulnerabilities seems a must for devices especially if you are using it for any financial data storage or financial transactions or any critical information, which you don’t want others to know, or misuse. Same goes true if you allowing these devices (BYOD) into the enterprise. In my next blog I will write on what does it take to make sure device is safe as far as vulnerabilities and malware are concerned, and if there a way to get a vulnerability ranking for each of these devices.


Manjunath M Gowda
CEO,
i7 Networks, “Agentless BYOD Discovery & Control”
LinkedIn, @i7networks

PS Reproduced from i7 networks blog (i7nw.com/blog) with permission

No comments:

Post a Comment