The Dirty Dozen Smartphones: Why IT Admins Should Care
Smartphones are everywhere these days, and people are increasingly using them at work, whether issued by an employer or brought from home. That makes smartphones a potential threat to the security of business information, and some phones—particularly a number of Android phones—are worse than others, according to security firm Bit9.
"A smartphone is not really a phone," said Harry Sverdlove, chief technology officer of Waltham, Mass.-based Bit9, which specializes in adaptive application whitelisting. Sverdlove explained that only about three percent of the use of smartphones is related to the phone function. "It's actually a computer with some of your most confidential information."
He added that there are more than 300 million smartphones in the world today, and 76 percent of users say they use their smartphone for both personal and business purposes.
"Smartphones are the new laptop and represent the fastest emerging threat vector," he said. "In our bring-your-own-device work culture, people are using their personal smartphones for both personal and business use, and attacks on these devices are on the rise. This dynamic is changing the way corporations think about protecting confidential data and intellectual property. This is the new security frontier."
To help businesses understand their vulnerability, Bit9 on Monday released a report on the most vulnerable popular smartphones available today. The report includes a list of the "dirty dozen" smartphones—the most vulnerable mobile devices—and Android devices own every single slot. However, it should be noted that the Android operating system runs a majority of the smartphones in the market. Sverdlove said Bit9 elected to only look at Android and Apple iOS devices because devices running Windows Mobile and other operating systems have too small a share of the market from which to draw effective conclusions. RIM Blackberry devices were eliminated from the list because its market share is diminishing and the Blackberry Enterprise Server gives companies a way to centrally update and manage applications running on users' Blackberry devices.
The report found that the Samsung Galaxy Mini is the most vulnerable. The HTC Desire took second and the Sony Ericsson Xperia X10 took third. Fourth through 12th place were given, in order, to: Sanyo Zio, HTC Wildfire, Samsung Epic 4G, LG Optimus S, Samsung Galaxy S, Motorola Droid X, LG Optimus One, Motorola Droid 2 and HTC Evo 4G.
Bit9 made its selections based on the smartphones with the highest market share that were running out-of-date and insecure software, and which had the slowest update cycles.
Sverdlove explained that 56 percent of Android phones in the marketplace are running versions of the Android operating system that are six months or more out of date, and that manufacturers such as Samsung, HTC, Motorola and LG often launch new phones with outmoded software out of the box. He also said they are slow to upgrade these phones to the latest and most secure versions of the operating system, and in some cases the manufacturers don't update the phones at all.
"It's a significant problem," he said. "The carriers are in the business of selling contracts. The manufacturers are in the business of selling phones. Neither of them is terribly incentivized to provide security on these phones."
Sverdlove compared the current state of affairs with regard to security updates for these phones as akin to buying a PC from Dell and then relying on Dell to coordinate with your home Internet provider, rather than Microsoft, to update your Windows software.
"You generally aren't going to call up your ISP and ask for an update to Windows," he said. "I certainly understand the business incentive for providers, but the truth of the matter is they really do need to step aside from the business of maintaining security on the software for these miniature computers."
He pointed to the Google Nexus S phone (manufactured by Samsung), which gets its updates directly from Google (creator of the Android operating system) rather than through Samsung or the carrier, as a case in point.
"The Nexus S gets gold stars," Sverdlove said. "Every time Google comes out with an update, the Nexus S gets the update immediately."
The various iPhone models originally got an honorary 13th-place mention in the report, but the release of iOS 5, which includes over-the-air updates to the software, has made it more secure, Sverdlove said.
"Apple clearly saw there was a gap there and provided a solution," he said.
The problem of vulnerable smartphones is not academic he said. He pointed to a recent Juniper Networks study that found a 472 percent increase in discovered Android malware between June 2011 and November 10, 2011.
He noted that most attacks targeting the Android platform in 2011 have taken the form of malicious applications designed to hijack personal information that require the victim to download them. He predicted that 2012 would see the rise of additional vectors, including Flash exploits that simply require the victim to visit a malicious Web site.
While there are few easy answers to this problem, Bit9 suggested that security professionals and consumers pressure manufacturers to be more responsible in prioritizing security updates or relinquish control as they have for the Apple iPhone and Google Nexus S phone. Bit 9 also suggested that corporations evolve to a "secure app store" model in which they only allow specific devices and trustworthy applications into their environment.
Thor Olavsrud is a contributor to <a href="http://www.internetnews.com">InternetNews.com</a>, the news service of <a href="http://www.internet.com">Internet.com</a>, the network for technology professionals.