The Department of Homeland Security and its obsolete Android OS problem

DHS warns public safety departments that their out-of-date Android devices are a security risk, but updating them is not always easy

Patches and updates are a regular part of digital life. But apparently not regular enough, even among those who ought to know better -- public safety departments.

[Experts weigh in with wish lists for Android 4.4 KitKat security]

The Department of Homeland Security (DHS) and the FBI issued a warning memo a couple of months ago to police and fire departments plus emergency medical service providers and security personnel that Android devices with out-of-date operating systems pose a serious security risk to their organizations.

While the memo was not classified, a press spokesman at the DHS said it was FOUO (For Official Use Only), and he therefore would not answer any questions about it, including how many public safety departments could be affected, what the response to the warning had been and whether any breaches or other compromises have been reported to the U.S. Computer Emergency Readiness Team (US-CERT) as instructed by the memo.

But the memo cited unspecified "industry reporting" that, "44 percent of Android users are still using versions 2.3.3 through 2.3.7 -- known as Gingerbread -- which were released in 2011 and have a number of security vulnerabilities that were fixed in later versions."

Google's own figures on its site for Android developers estimate that percentage at about a third less -- 30.7 percent. But it also showed 21.7 percent using versions 4.0.3-4.0.4, called Ice Cream Sandwich, which is also out of date. Less than half -- 45.1 percent -- are using the latest OS, called Jelly Bean, and of that group, 36.6 percent are using 4.1, and only 8.5 percent are using 4.2, which is the latest OS.

With Android dominating the mobile OS market -- Juniper Networks puts its share at 67.7 percent -- that makes Android easily the most attractive target for malicious attacks, and puts hundreds of millions of users at risk -- apparently including many in the public safety industry.

The DHS/FBI memo cited SMS Trojans, Rootkits and fake Google Play Domains as among the top security threats to out-of-date Android devices. It recommended regular updates, running an "Android security suite" and downloading apps only from the official Google Play Store.

But, updating an Android device is not always as easy or convenient as simply taking a few minutes to download a patch or the latest OS. While they are free, the hardware frequently cannot use them.

[Samsung fortifies enterprise security on is Android phones]

"There is a wide variety of Android OEM versions rolled out to a huge number of different handsets, and not all carriers and handset OEMs will allow you to upgrade to the latest version," said Mario de Boer, research director, Security and Risk Management Strategies at Gartner for Technical Professionals.

"So, the Android versions that can run are restricted per device. Even now it is possible to buy Gingerbread devices that cannot be upgraded to Jelly Bean."

That point was emphasized by Android's chief competitor, Apple CEO Tim Cook (a distant second at 19 percent of the mobile OS market), who in a recent interview with Bloomberg BusinessWeek said incompatibilities among Android versions make each like an entirely different species.

"By the time (customers) exit, they're using an operating system that's three or four years old. That would be like me right now having in my pocket iOS 3. I can't imagine it," Cook said.

Troy Vennon, director of the Mobile Threat Center at Juniper Networks, said there is a, "long lag time between when updates are created by Google and when the carriers make them available to users. This gap is a significant security concern."

He added that this "fragmented ecosystem," not just Android's dominance of the market, is what makes it such an attractive target for cybercriminals.

[10 tips for Android security]

A long-term member of the security community, formerly associated with the KNOS Project, declined to be identified due to his current employment, but said part of the problem until recently has been devices with inexpensive ROM memory, in which, "the code for the OS is frozen in the chipset. These cannot be updated without replacing the electronics."

But, he said "EPROM," or upgradable flash memory, has become less expensive, which has largely eliminated that problem, "although some of those older phones are still out there in use." The other problem, however, "is that updating the OS on a phone eats a crapload of bandwidth, because you've got to push a lot of data out to each individual phone whenever something changes.

"That's an enormous expense, and different data has to go to each particular model and revision of phone by each individual carrier," he said.

The danger from the failure to upgrade is severe, he and others say. "Phones are the Trojan horses inside the firewall," he said. "They belong to 'trusted users' who have access inside that firewall. If malware gets in there at all, then it can piggyback on top of all the legitimate apps they're using, just like on a PC or Mac."

And according to Vennon, it is a problem not easily solved. "Google's decentralized ecosystem has made it difficult for software updates, including security patches, to make their way to Android users," he said. "Each Android update from Google must be adapted and then tested by handset makers for each of their many hardware variants. That update is distributed to carriers who, in turn, push it to their customers."

De Boer said the only solution for now is to block the use of Android devices that are not running the latest OS. "Apply admission control," he said. "If your smartphones or tablet is running a vulnerable OS, you cannot get access to the specific service or data."

But, he admitted, "this is hard to accomplish for voice and text, and easier for email and access to files."

The fundamental problem, said the former KNOS Project employee, is that most of the smartphones that populate the BYOD revolution are not designed with corporate or government security in mind.

"Consumer-grade products, not fully supported for security by either their manufacturers and especially not by the carriers, are dangerous objects behind that firewall," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags Government use of ITAndroid OSDepartment of Homeland Securitygovernment

More about AppleBloombergCERT AustraliaFBIGartnerGoogleJuniperJuniperSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts