Monday, November 28, 2011

Bit9: The Dirty Dozen of security-vulnerable smartphones

Android has brought a variety of phones, with different hardware and software features to the market. This has enabled more people to get the phone that they want. Bit9 says that unfortunately this has led to “an estimated 56% of Android phones in the marketplace today are running out-of-date and insecure versions of the Android.”

It seems that when phones are released they can be running versions of Android that can be up to 18 months out of date, and thus lacking all the latest security updates.

"All operating systems have vulnerabilities," Harry Svedlove, Bit9's chief technology officer, points out, but it's how quickly and effectively software gets fixed that matters. Bit9's analysis of the most vulnerable smartphones is based on criteria that includes looking at smartphones with the highest market share that were running out-of-date and insecure software and had the slowest update cycles.

The Bit9 "Dirty Dozen" not-so-smart smartphone list includes:

1. Samsung Galaxy Mini

2. 2 HTC Desire

3. Sony Ericsson Xperia X10

4. Sanyo Zio

5. HTC Wildfire

6. Samsung Epic 4G

7. LG Optimus S

8. Samsung Galaxy S

9. Motorola Droid X

10. LG Optimus One

11. Motorola Droid 2

12. HTC Evo 4G

Honorary mention" on this list is given to the Apple iPhone 4 and older iPhone models

Most of the problem seems to stem from how mobile devices are updated. Think about the process for a second: Google put out an update, it goes to the hardware manufactures to include in their modified version of Android, and then it gets sent to the cellular carriers to release over their network.

Bit9 points out that having to rely on the phone manufacturer and wireless service provider for software updates is "akin to buying a PC from Dell and relying on Dell to coordinate with your home Internet provider, instead of Microsoft, to update your Windows software." 

Android manufacturers such as Samsung, HTC and Motorola have made software updates available on their websites to end users that want to go looking for them over the Internet. But he says this remains an extremely clunky procedure with its instructions for docking, utilities and downloading, giving it a complexity that only geekiest of geeks could figure out.

What is even scarier is that “In comparison to the chaotic universe of Android smartphones, in which manufacturing cycles are flying in every direction at 12 to 18 month intervals, Svedlove notes, the old Microsoft Windows PC environment seems like an orderly world that's predictable, with software updates controlled over the Internet.

Who would have ever believed that the words Windows, orderly, and predictable would be used in the same sentence?

This should not be taken to mean that Apple products are without their own concerns. Back in June 2010,
 Goatse Security uncovered a vulnerability within the AT&T website that enabled them to steal 114,000 email addresses of AT&T Apple iPad users customers. This is in addition to the attempted attack on AT&T online accounts.