The Dirty Dozen of security-vulnerable smartphones

Which smartphones pose the biggest security and privacy risks to consumers and corporations?

Security firm Bit9 has pulled together what it calls its "Dirty Dozen" list, putting the Google Android operating system in the spotlight, with claims that an estimated 56% of Android phones in the marketplace today are running out-of-date and insecure versions of the Android.

SMARTPHONE SECURITY: Smartphones, virtualization seen as greatest security challenge: Ponemon survey

According to the Bit9 study published today, smartphone manufacturers Samsung, HTC, Motorola and LG often launch new phones with outdated software right out of the box, and they are slow to upgrade these phones to the latest and most secure versions of Android. This heightens the risk of malware vulnerabilities or other types of attack, says Harry Svedlove, Bit9's chief technology officer, who notes detail about the "Dirty Dozen" research and its methodology is posted on the company's website for review.

"The value in this is raising awareness about something no one is talking about," Svedlove says, and that's the way that wireless service carriers and smartphone manufacturers fail to efficiently handle the process of software updates. "The challenge we had in the Android ecosystem is it's unbelievably fragmented," Svedlove says, adding, "From a security perspective, this eco-system is broken."

"All operating systems have vulnerabilities," Svedlove points out, but it's how quickly and effectively software gets fixed that matters. Bit9's analysis of the most vulnerable smartphones is based on criteria that includes looking at smartphones with the highest market share that were running out-of-date and insecure software and had the slowest update cycles.

The study pertains to smartphones released by manufacturers this year and last. Bit9 excluded RIM BlackBerry from its study mainly because iOS and Android now appear to comprise almost 80% of new smartphone purchases, plus Bit9 says BlackBerry is the only operating system to offer an Enterprise Server for companies to centrally manage as well as control updates and applications running on users' BlackBerry devices. Windows Mobile was also excluded because its market share is still small, about 5%.

The Bit9 "Dirty Dozen" not-so-smart smartphone list includes:

1. Samsung Galaxy Mini

2. 2 HTC Desire

3. Sony Ericsson Xperia X10

4. Sanyo Zio

5. HTC Wildfire

6. Samsung Epic 4G

7. LG Optimus S

8. Samsung Galaxy S

9. Motorola Droid X

10. LG Optimus One

11. Motorola Droid 2

12. HTC Evo 4G

The Samsung Galaxy Mini, for example, was released in April of this year based on a version of Android that was about 11 months out of date the day it shipped, according to Bit9. "It was Android Version 2.2 and it could have been 2.3.3 or 2.3.4," says Svedlove. Every smartphone in the Bit9 "Dirty Dozen" list is an Android.

"Honorary mention" on this list is given to the Apple iPhone 4 and older iPhone models because until the iPhone 4S, Apple -- both the software designer and hardware manufacturer -- also had a woefully inefficient software update model, Svedlove says.

Bit9's fervor on this topic arises from its belief that smartphones are basically the next generation of portable computers, but according to the security firm, "the distribution model adopted by phone manufacturers and their carriers has created a chaotic and insecure environment where it can take several months for important updates to be distributed, if at all. At the heart of the issue, providing software updates for Android phones is currently the responsibility of the individual hardware vendors along with their different carriers." [also see: "Mobile device makers react differently to attack info, researcher says"]

Bit9 does praise the Android operating system for being an open platform that has enabled innovation and creativity in mobile computing. And Svedlove also acknowledges that increasingly, Android manufacturers such as Samsung, HTC and Motorola have made software updates available on their websites to end users that want to go looking for them over the Internet. But he says this remains an extremely clunky procedure with its instructions for docking, utilities and downloading, giving it a complexity that only geekiest of geeks could figure out. "It's horrendous," he says.

It's the over-the-air updates from the wireless carriers that by and large are the mainstay for Android updates in conjunction with the phone manufacturers. Bit9 thinks security professionals and consumers need to put pressure on smartphone manufacturers to be "more responsible in prioritizing security updates." The security firm also says it would be better overall "if manufacturers could relinquish control of the operating system updates."

Bit9 points out that having to rely on the phone manufacturer and wireless service provider for software updates is "akin to buying a PC from Dell and relying on Dell to coordinate with your home Internet provider, instead of Microsoft, to update your Windows software." This would result in "complete fragmentation of the market," and according to Bit9, that's "exactly what has occurred within the Android smartphone market. In many cases, the only recourse a consumer has, if they want the latest and most secure software, is to purchase a new phone."

Svedlove adds it's his impression that consumers buying smartphones are not as conscious of the version of the OS they are acquiring as they are when purchasing the traditional PC or Mac.

In comparison to the chaotic universe of Android smartphones, in which manufacturing cycles are flying in every direction at 12 to 18 month intervals, Svedlove notes, the old Microsoft Windows PC environment seems like an orderly world that's predictable, with software updates controlled over the Internet. To the issues raised by the "Dirty Dozen," says Svedlove, "There's no easy answer," adding he hopes it will be "call to change the industry." He said the smartphone world has to strive for predictability, ease and transparency in security. Bit9 also advocates that corporations adopting smartphones in business use establish a way to have a "secure app store model" that would only allow specific devices and trustworthy applications into their environment.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags MotorolahtcGooglesecurityBit9Google Android

More about AppleBlackBerryDellDell ComputerEricsson AustraliaGalaxyGartnerGoogleHTCLANLeaderLeaderLGMicrosoftMotorolaResearch In MotionSamsungSanyoSonySony EricssonX10

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts