US Govt Employees Exposed To Mobile Attacks From Outdated Android, iOS (bleepingcomputer.com) 18
According to a new report, almost half of Android-based mobile phones used by U.S. state and local government employees are running outdated versions of the operating system, exposing them to hundreds of vulnerabilities that can be leveraged for attacks. From a report: These statistics come from a report by cybersecurity firm Lookout, based on an analysis of 200 million devices and 175 million applications from 2021 to H2 2022. The report additionally warns of a rise in all threat metrics, including attempted phishing attacks against government employees, reliance on unmanaged mobile devices, and liability points in mission-critical networks. Outdated versions of mobile operating systems allow attackers to exploit vulnerabilities that can be used to breach targets, run code on the device, plant spyware, steal credentials, and more. For example, last week, Apple released iOS 16.1, fixing an actively exploited zero-day memory corruption flaw used by hackers against iPhone users to achieve arbitrary code execution with kernel privileges.
Lookout reports that ten months after iOS 15 had been made available to users, 5% of federal government employees and 30% of state and local government devices were running older versions of the operating system. The situation is much worse for Android, as ten months after the release of version 12, approximately 30% of federal devices and almost 50% of state and local government devices still needed to upgrade to the latest versions, thus remaining vulnerable to bugs that can be exploited in attacks. It should be noted that Android 13 is the latest version of the operating system, but it was released after the first half of 2022, from which this data was collected.
Lookout reports that ten months after iOS 15 had been made available to users, 5% of federal government employees and 30% of state and local government devices were running older versions of the operating system. The situation is much worse for Android, as ten months after the release of version 12, approximately 30% of federal devices and almost 50% of state and local government devices still needed to upgrade to the latest versions, thus remaining vulnerable to bugs that can be exploited in attacks. It should be noted that Android 13 is the latest version of the operating system, but it was released after the first half of 2022, from which this data was collected.
If you want regular Android updates... (Score:5, Interesting)
Either buy a Google device or buy a device that's well supported by the folks at LineageOS.
https://lineageos.org/ [lineageos.org]
If you're going to rely on your wireless carrier to keep your device up to date, think again. They're all glacially slow about rolling out updates, even when there's well known critical vulnerabilities in their latest "fully patched" release.
If you've got an Apple device, just enable automatic updates. That'll keep you patched until Apple EOL's the device.
Best,
Re: (Score:2)
What does the wireless carrier have to do with it? Don't updates come from the manufacturer?
I wouldn't know; I'm on LineageOS 19.1. I get updates every couple of weeks.
Re:If you want regular Android updates... (Score:4, Insightful)
Pretty much everything, since they're the middle man for Android phones, between the customer and the manufacturer. Even if the manufacturer releases an update, each carrier has to vet it before they release it to "their" variant of the phone. And since 98% of Android users use the phone they got from their carrier, they're at the carrier's mercy.
Congrats on breaking out of that cycle, though.
Re: (Score:2)
I've never had a "carrier variant" of a phone. I didn't know that was a thing.
I've bought phones from eBay, Amazon, and Motorola.
Re: (Score:3)
Platitudes galore? But you hit a "valid" note with "glacially slow".
We evolved into our biological form over geologic time.
Our mental state and our societies develop and operate in historic time.
But our computers are running on quantum time.
We can't fix or even keep up with the mess we've gotten ourselves into. Thus resolveth the Fermi Paradox?
Back to the story, eh? Given the current dysfunctional state of the federal government in formerly United States, I'm unable to imagine why these government employees
Re: (Score:2)
Given the current dysfunctional state of the federal government in formerly United States, I'm unable to imagine why these government employees would be a special target of interest.
You did notice in the summary it said that only 5% of government phones were out of date. Without knowing their sampling methods it doesn't say if that number was reached by estimating the number of phones reporting an older version of the software, or if they can only confirm 95% of the phones have reported the upgrade took place. The later would leave some errors due to lost phones, replacement phones that weren't accounted for, and phones waiting in the disposal queue.
In most other industries, a 95% co
Re: (Score:2)
Doesn't seem related to my comment, but my comment was only weakly related to the story, but perhaps that was your point? Question of significance regarded as insignificant and thus called for a reply of the same ilk?
Re: (Score:1)
I have a samsung device, and the updates come with an end user agreement that I have to agree to first.
Unfortunately, because I was living in a country with Arabic as the primary language for several months, Samsung has decided that it should show the end user agreement in arabic, with no option for English, despite the fact that all my phone apps are in English, my language preference is only english and I have no ability to read Arabic. For all I knew, some pf the several checkboxes that needed to be chec
Need more numbers (Score:4, Interesting)
The 10-month numbers are somewhat interesting, but only if the numbers are that time point indicate some sort of steady state. Ten months seems like a weird number. Why not 6 or 12 months? Better yet, it would be nice to see the curve over time beyond 10 months or at least a summary of what that curve looks like, i.e., when and at what levels do the numbers achieve steady state?
More importantly, the IOS and Android numbers need some additional numbers. While there's only a single IOS release, there are multiple Android releases, as each manufacturer takes a different amount of time to release its version after the Google release. That lag is often many months. At least for Android (not sure about IOS, since I don't have an iPhone), there is a second lag for the carrier to push out the actual update. If the report only references the Google release, then it needs to highlight that point. The 10-month numbers for Android after carrier releases would obviously be much better.
For example, the following manufacturers released Android 12 the following number of months after the official Google release:
Samsung: 1.5 months
LG: 5.5 months
The carriers release will be after the manufacturer releases. So, if the 10-month Android numbers are relative to the Google release, then the numbers are almost meaningless (or rather, they reflect how the lag in updates going from Google to manufacturers to carriers).
iOS numbers may be misleading (Score:3)
With the releases of both iOS 15 and 16, Apple has also given people the ability to stay on a patched version of the previous major release - at least for a while. So just because a user was still on iOS 14 after iOS 15 was release, it didn't necessarily mean they weren't up-to-date security-wise.
Re: (Score:2)
I wonder how long Apple will be releasing fixes for its iOS v15 after v16 was released. So far, they released two patches. iOS v14 was only one after v15 was released.
How to Avoid (Score:2)
1) Pay them enough so they can afford new phones
2) No BYOD, ever. Provide devices.
We all want to save money, but being a cheap-ass doesn't work, period.
Re: (Score:2)
Re: (Score:2)
this [archives.gov] implies that they only planned to pay for service. I suspect this document [atarc.org] could lead you to the answers (there are links)
Slashvertisement (Score:2)
This ain't Funny, but I guess it's par? (Score:2)
For the Slashdot course, at least. Yeah, a meta-comment, but it sure appears that someone is messing with the Slashdot code. The Funny tab is gone, and it was one of the features I used most often.
Now how can I check the old discussions to see if any jokes slipped in?
I think the big joke would be hoping for Slashdot to get better? Apples to oranges, but I think Slashdot is in worse shape than the federal government.
The Internet is a big place, but I still haven't found a better social media website... Most