Duo Security, a cloud-based access security provider protecting the world’s largest and fastest-growing companies, has analysed data from its installed base of over 1 million mobile devices to discover over 90% of Android devices are running out-of-date versions of the Android operating system (OS). With the growing number of personal mobile devices in the workplace, IT professionals must be aware of the risks and how to quickly remediate them.
Duo’s research reveals that 32% of Android devices in use in enterprises today are running version 4.0 or older of the operating system, leaving them highly susceptible to vulnerabilities like Stagefright. That particular vulnerability allows an attacker to compromise an Android device via an MMS message such as a video or photo, potentially allowing an attacker access from the device to corporate networks. An additional finding reveals that 1 in 20 of all Android devices used in enterprises are rooted, leaving them vulnerable to numerous attacks.
A similar analysis of iOS devices revealed that only 20% of iPhones run the latest Apple operating system version, iOS 9.2, compared to 6% of Android devices running the latest version 6.0 (known as Marshmallow). Outdated iOS devices have well-known vulnerabilities such as Ins0mnia and Quicksand that make these devices susceptible to attacks.
Duo estimates that over 20 million mobile devices connected to enterprise networks are no longer supported by the device manufacturer and therefore cannot be upgraded to the latest versions of the software, which would fix their vulnerabilities. In fact, there are many devices still on the market that cannot receive updates, meaning that even a brand-new device may be a security concern for the enterprise.
While the full findings are concerning, Duo asserts that visibility and insight into the state of these devices is a powerful first step in securing the enterprise. “IT administrators need to gain visibility into the health of all devices accessing their critical applications so that they can better protect these apps and at the same time improve the overall hygiene of all the devices,” said Ash Devata, VP of Product at Duo Security.
Duo recommends that IT professionals implement the following measures to reduce the risk of compromised mobile endpoints:
- Establish basic mobile device security policies for the company and get buy-in from business managers
- Enable all employees to use passcodes and fingerprint screen locks to prevent trivial access to sensitive data on mobile phones
- Consider excluding phones that are jailbroken or rooted from access to corporate data and systems
- Provide helpful tips and reminders to users to check for updates on personal devices accessing company data.
- Update or replace outdated hardware in use in the enterprise that may no longer be supported with security updates by the manufacturer.
- Recommend that employees using Android devices consider Nexus handsets with more frequent and direct platform update support
- Address common update issues up front with guidance on problems related to updating mobile devices, such as providing tips on freeing space for updates
- Encourage users to update during downtimes such as at dinner or before bed
- Use free tools such as Duo’s X-Ray app for Android users to detect devices with particularly concerning vulnerabilities