back to article Unpatched, passcode-free smartphones. Yes, they're everywhere

Users in both enterprises and at home are failing to take basic precautions against an increasing range of mobile threats, according to a new survey by security firm Skycure. The majority (52 per cent) of devices do not have any type of passcode enabled, including alphanumeric, biometric, and swipe codes. And around a third ( …

  1. Anonymous Coward
    Anonymous Coward

    I blame the OEMs 100% for this

    "And around a third (30 per cent) of devices were running an out-of-date OS."

    I'd love to be running a more recent OS, but HTC can't be bothered to issue any updates so I'm screwed.

    Take my advice - never buy HTC.

    1. Anonymous Coward
      Anonymous Coward

      Re: I blame the OEMs 100% for this

      Yes, it would be nice to know how many of these "out of date" devices have been declared EOL by their manufacturers, thus making them not "unptached" but "unpatchable" and thus the only option is a costly replacement phone which many people aren't inclined to buy.

      1. Anonymous Coward
        Anonymous Coward

        Re: I blame the OEMs 100% for this

        "not "unptached" but "unpatchable""[sic]

        I'm sure there'll be a recent ROM for it if the hardware is still adequate.

        1. Anonymous Coward
          Anonymous Coward

          Re: I blame the OEMs 100% for this

          But not an OFFICIAL one, which can be critical for enterprise applications (legal mandates) or Joe Ordinary who can't be trusted with going under the bonnet.

          1. Anonymous Coward
            Anonymous Coward

            Re:

            And yet MS get blamed for Windows security problems on Dells, HPs or any manufacturers pcs. But not Google, because apparently there's no way they could have built a windows update style service for Android.

            Though apparently now "Google is taking the lead on revitalising the patching pipeline for the Android ecosystem". Stable door anyone?

            1. Thomas 6

              Re: Re:

              The difference here is that Microsoft sell a completed version of Windows which is installed on a device. Google create a version of Android which is then modified by the OEM before being installed. Google have no control over these modifications therefore cannot release a 'fix' that will work on all devices.

              Google have made attempts to address this and supply a lot of updates via the Google Play Services. It is, however, an issue that will continue to plague Android unless a better solution is found.

              1. DLKirkwood

                Re: Re:

                How about the iPhone solution? A Mac OS seems to be a bit more secure than PC, however these days kids are far smarter (it seems) than the developers these days. Personally I don't worry about my iPhone mainly because I don't do much business on it (or my computer for that matter) that is sensitive. I put in a partitial end number of my bank accounts, but never link to my actual bank, or example. I will take the extra work to remain secure. One another thought, though....

                Personally, I have to wonder if all the "your not secure enough" rhetoric is real, or a front to make sure we all upgrade to the latest OS with new and improved spyware from our own governments and the alleged 'six families that hold the majority of wealth in the world' to keep the rest of us in our place.

                Funny that what happens in the US seems to follow suit a mere months after to the entire rest of the Civilized (?) countries. Something to consider if you ask me ... as a writer I've learned how to research deep to see some interesting things; such as, before the stock market and housing crash rental property stocks was taking a steady 4 1/2 year dive. Quite the coincidence, which did not really explain why it took banks 4 - 5 years to put most of those repossessed homes up for sale to the public. The numbers taken back did not come near to those on the market until apartment rent had increased by close to 40%.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Re:

                  At the time, only Apple could pull off the iOS solution because the carriers faced actual defections from cutsomers lured by Apple's unique siren song. Google offered carriers Android as a way to lure those customers back, and it worked, but it entailed a necessary delegation of responsibilities that is coming back to bite Google. They're trying to wrest underlying control back with the latest versions of Android. Marshmallow has a lot more integrity checking, for example (dm-verity is now enforced along with SELinux, and Android Pay only works on "virgin" devices), and there has been progress on layers (which would allow carriers to provide their unique stuff while staying off the system stuff for the most part). This push for security will likely be near the top of the priority list for Android N (whatever it'll be called).

                  PS. If you're paranoid about governments overhearing your activities on your cell phone (which they could probably do even before there was such a thing as a smartphone), then you probably shouldn't own a cell phone at all, and give up that connectivity that everyone (including bosses) are demanding these days.

              2. Anonymous Coward
                Anonymous Coward

                Re: The difference here is that Microsoft sell a completed version of Windows....

                Really? You're sure those clever people at Google couldn't manage to keep core infrastructure updatable whilst allowing manufacturers to mess with the ui and add services? This isn't a case of Google providing an update mechanism and the OEMs opting out of it or breaking it. They didn't bother to provide a patching mechanism. It shows a wilful lack of care for their users.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: The difference here is that Microsoft sell a completed version of Windows....

                  "You're sure those clever people at Google couldn't manage to keep core infrastructure updatable whilst allowing manufacturers to mess with the ui and add services?"

                  You should talk to the folks at the xda boards. You'll find out that TouchWiz and Sense, among others, are a whole lot more than just window dressing. There are a whole lot of under-the-bonnet stuff that makes these things work, and a lot of things that are pushed at the insistence of the carriers under threat of dropping them for another brand. For example, take T-Mobile's WiFi Calling and the Galaxy S4. WiFi Calling happens to be one of the few things I really, really like about T-Mobile (especially when abroad since that means I can call home for free as long as I'm at a hotspot), but here's the rub. At T-Mobile's insistence, the guts of WiFi Calling are buried inside TouchWiz, to the point no Android hacker in 2 1/2 years has been able to disentangle the two (there's even a cash bounty out on this, so there's lots of motivation). So if you want WiFi Calling, you MUST use TouchWiz (which for us apparently means no Lollipop upgrade). And no, phones from other carriers nor Google Play Edition S4's cannot get WiFi Calling. Last I heard, HTC phones get the same treatment with their Sense UI.

                  So NO, manufacturer adjustments are WAY more than skin deep, and until Google lays the law down (and neither side decides to walk away in response), then that's the way it'll be. Believe me; I speak from experience.

              3. Anonymous Coward
                Anonymous Coward

                Re: Re:

                "Google create a version of Android which is then modified by the OEM before being installed."

                The curse of Open Source, which is why Linux has failed on the desktop (and will *ALWAYS* do so) and is now failing on the phone.

              4. Tom 38

                Re: Re:

                Google have no control over these modifications therefore cannot release a 'fix' that will work on all devices.

                If the OEM wants to call it an Android phone, Google in fact have quite a bit of control over what they do with it.

        2. Anonymous Coward
          Anonymous Coward

          Re: I blame the OEMs 100% for this

          Some bootloaders cannot be unlocked. Many of Motorola's phones, for example. So no custom ROMs can be installed.

          This is really google's fault for allowing OEM's to be so lax with updates.

  2. FrogsAndChips Silver badge
    Facepalm

    "Rooting/jailbreaking a device removes most of the inherent security features ..

    ...of the operating system"

    And yet rooting/jailbreaking is the only way to upgrade a device to a more recent, secure version of the OS once the manufacturers have stopped providing updates, if they ever have.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Rooting/jailbreaking a device removes most of the inherent security features ..

      Which means you lose either way. If you don't upgrade, they'll pwn you with the unpatched exploits. If you do root, they'll pwn you precisely because you rooted, regardless of whatever safeguards you try to put up.

      Leave Android you find Apple has its own issues, and meanwhile feature phones are going the way of the dinosaur because are getting used to sleek, adjustable-function phones they can customize. No one (of any importance) just calls and texts anymore.

      1. Anonymous Coward
        Anonymous Coward

        Re: No one (of any importance) just calls and texts anymore.

        Fuck you! Your Mum's not important either!

        1. Anonymous Coward
          Anonymous Coward

          Re: No one (of any importance) just calls and texts anymore.

          No she isn't. She's dead.

      2. Ken Hagan Gold badge

        Re: "Rooting/jailbreaking a device removes most of the inherent security features ..

        "No one (of any importance) just calls and texts anymore."

        No-one of any importance ever did. They have people to do that sort of thing. (Sheesh! Kids today...)

  3. Cuddles

    30%?

    "And around a third (30 per cent) of devices were running an out-of-date OS."

    That's certainly not true at all. The most recent version of Android is 6, which is used by approximately 0% of people. Ignoring that and looking at versions that most people actually have a chance of using, 5.x is used by around 20%, with 4.4.x by far the most common and 4.1 and 4.2 together still having more market share than 5. So no, 30% of people are not running an out of date OS, somewhere between 80-100% are.

    Have to say I'm surprised at the number without any passcode though. I don't think I've ever seen a mobile device without either a swipe pattern or PIN.

    1. Sandtitz Silver badge

      Re: 30%?

      "I don't think I've ever seen a mobile device without either a swipe pattern or PIN."

      Ever? When Nokia ruled with the Symbian phones it was rare to see anyone protecting their phone with a PIN - if it even was possible (can't remember). Sure the SIM had a PIN code but that was needed only when rebooting the device.

    2. Adam 1

      Re: 30%?

      Feels good to be one of the 0%. (2014 Nexus 5). Actually one of the best things about it is that they fixed up app permissions. (You can selectively revoke permissions you don't think an app needs). That in itself is a huge security plus.

  4. Anonymous Coward
    FAIL

    And around a third (30 per cent) of devices were running an out-of-date OS.

    Rubbish.

    I bet they ACTUALLY mean

    ....a third (30 per cent) of devices were running an UNSUPPORTED OS.

    Not the same thing.

    Window 7 is "out of date", but is not obsolete.

    1. Adam 1

      Re: And around a third (30 per cent) of devices were running an out-of-date OS.

      Windows 7 did you say? Oh you must want windows 10. Let me download it for you.

  5. Timmy B

    I too am getting a bit disgruntled with android. Though the best experience I have is with LG so far. SWMBO has a direct from LG G3 and I have one that came from three. I am on the same version as her ( the latest LG provided) and got that only three weeks after her (I check monthly so there may be updates that I've not looked for). I figure a three week lag for three isn't terrible. Samsung were atrocious and didn't update any where near enough even unbranded. On the other hand my spare phone (an MS Nokia 630) updates all the time which I quite like - would swap to WP10 in a shot if only the app support was there. Please nobody suggest iPhone - been there done that...

    1. DLKirkwood

      Capitalism at its worse.

      As far as security the iPhone seems better, however since Steve Jobs died Apple has been slowly falling down into the pits of hell imho.

      Siri is too busy to help much of the time, and when she does she's been hitting the bottle because she can't find the obvious, or understand plain English and she's suppose to get better and better over time to how the user enunciates their words. Instead she seems to be getting worse since the later update that I did as my phone (that had to be reset).

      The iPhone was plugged into my Pro Mac desktop charging during the install and I unplugged after the update but before the reset. Still, I discovered that the update wiped out all ringtones ON MY DESKTOP! which I had converted to MP3 format from my Android phone so that I could use with the IPhone. In other words, if it didn't come from the iTune store out it went. FIFTY MP3 or Tone files.

      Their tech support solution was 'buy then again' yet iTunes does not offer them. Their ho hum attitude apparently changed after 20 minutes of rather heated debate as to their right to take anything out of my computer without permission, and my hanging up on them just after a threat of a class action law suit. Funny, those ring tones slow reappeared in iTunes again although they swore there was nothing to be done. Is there such a thing as honest business dealings these days?

      1. Anonymous Coward
        Anonymous Coward

        Re: Capitalism at its worse.

        Do you really believe a single angry call into Apple threatening a class action suit is going to get them to have someone magically access your personal iTunes install and get your ring tones back?

        Whatever happened (I have no idea what) cause them to temporarily disappear and they came back later. Maybe some sort of index got deleted and had to be rebuilt, I have no idea. If you really believe your call to some bored front line CSR would get them to take any action beyond "log angry call with random threats" you're crazy.

      2. Tom 38

        Re: Capitalism at its worse.

        Restore it from backup? Oh you forgot to back it up? TIME FOR A CLASS ACTION OF ONE.

  6. Warm Braw

    The majority of devices do not have any type of passcode enabled

    My device doesn't have a passcode enabled either. It also has a maximum of £15 credit on it at any one time and has no banking or shopping apps. I lead a very dull life and the remaining contents of my phone reflects that.

    I'm quite happy with that level of risk.

    1. Anonymous Coward
      Anonymous Coward

      Re: The majority of devices do not have any type of passcode enabled

      But it'll probably still contain enough details to steal your identity, with which they can get to everything else you own.

    2. Your alien overlord - fear me

      Re: The majority of devices do not have any type of passcode enabled

      Wow, you keep alot on it. I only have a fiver. And as for stealing personal info, good luck with that. I keep no one in my contacts or anything in the calendar. email is web based and I don't keep even my email address saved (I have a couple of email addresses anyway) and since I run AOSP, nothing Google based either.

      I'm not paranoid, it's just I have a brain and can remember things. Old skool I suppose.

      1. Warm Braw

        Re: The majority of devices do not have any type of passcode enabled

        Wow, you keep alot on it. I only have a fiver

        I withdraw my claim to live a dull life. I obviously live more dangerously than I had imagined.

  7. Anonymous Coward
    Anonymous Coward

    Not through lack of trying.

    Bong. Updates are available for your Android System.

    Run... restart... 30%... HANG! Abort! Restart...

    Bong. The update failed, connect your device to a Real Computer and install the update that way.

    [Much hassle later on the vendor's website downloading their Connectivity package, because registering the device as a USB Storage device and copying any update files into a folder called Updates would be, like, so infradig.]

    RC: No updates are available for your device.

    User: Huh? But... Whatever!

    Bong. Updates are available for your Android system.

    GOTO 20

    For the last six months, I've just swiped the update into a 'Later' state. I still get the icon on the title bar, and it still fills about half the Notifications screen, but at least the device hasn't bricked.

    1. Adam 1

      Re: Not through lack of trying.

      The crazy thing about the android update process is that the 20MB stagefright patch took almost as long to install as marshmallow itself.

  8. splodge

    Correct me if I'm wrong, but the primary purpose of a "telephone" is to make "telephone calls" ?

    1. Bob Dole (tm)
      Facepalm

      Re: Correct me if I'm wrong

      .. Here's your friendly correction or two...

      They haven't been called 'Telephones' for quite a while now. They are Mobile Devices. Telephones are those things that required cords - or at least a base station in your home and only worked within like 100 feet of it.

      Phones, aka Mobile Devices, are primarily for delivering personal advertisements by way of games, internet browsing and social media apps. Making telephone calls is just a secondary feature.

    2. Steve Davies 3 Silver badge
      Joke

      And your primary Phone is made of Bakelite and has a Rotary Dial that still uses Pulse Dialling?

      How 1930's of you my dear Chap.

      See Icon because I tend to agree with you. My main phone is a Nokia 6310. Go on hackers, get access to my bank from that!

      1. Anonymous Coward
        Anonymous Coward

        They just might by triangulating your phone's location (a basic function of the network) and secretly tuning on your phone's mic (via a hardware smurf) while you're there to hear pertinent details. Like I said, if you think the plods were only able to tap you when the iPhone and Android came along, you're late to the game.

    3. Adam 1

      I don't think so. When was the last phone review you saw where ring volume, microphone clarity and talk time together took up more than 2 sentences?

  9. Anonymous Coward
    Anonymous Coward

    Good news for MSFT at last!

    At least their Loonia phones were not called out and shamed!

  10. Shadow Systems

    It's the fault of Carriers & Manufacturers.

    As a Verizon Victim I have a severely limited choice of devices, they invariably don't come with the latest version of OS (the Verizon site still offers Android phones with v2.x on them, Apple devices with ~3 prior releases, & Windows phones with WP7; if you look at BlackBerry's offerings it's even worse) claiming they are "OTA Ready". Except they *NEVER* update the devices, so the OS version you buy it with is probably the only one it will EVER get. No updates from Verizon will be forthcoming until the heat death of the universe.

    Add to that manufacturers that shit out a new device every few months, claim it'll be supported for the life of the device, then abandon it barely a year later. See Motorola for examples of this, HTC, Samsung, and any of the primarily Chinese tertiary vendors. IF they release an update for the device then it has to go through the carrier in order for us to GET it. If that carrier is Verizon then the manufacturer's update will be "held for testing & validation" until Verizon feels like releasing it, which will be when Hell Freezes Over.

    Even if I buy a Nexus from Google directly & get one compatible with Verizon's network, I can't be sure I'll be able to get any updates. I either have to cable it to my desktop & force it to update via the LAN or somehow figure out how to manually download the updates & apply them. Because Verizon will actively cockblock anything the manufacturer might try to send over Verizon's network, claiming "security".

    So my options are to live with an insecure device or switch carriers. Unless I suddenly find a couple hundred I can flippantly flush down the bog IN ADDITION to all the other fees I'd incur in changing over (credit check, down payment, the phone itself, insurance, accessories, et alia) then it's Not An Option.

    Which leaves an insecure device. <Sarcasm>Joy.</Sarcasm>

    In the end both the device manufacturer has to be arsed to create the updates, release them to the carriers, & insist that the updates be applied promptly. Then the Carrier has to pull it's head out of it's ass & push out the updates in a prompt manner. Then and ONLY then can the Customers stand a chance in hell of running secure devices. As others have pointed out above, running the stock OS will get you screwed from the inherent unpatched security holes, but rooting it to run a more recent version will ALSO get you screwed BECAUSE of the rooting. How the hell are we supposed to win in a Damned if we Do, Damned if we don't situation?

    Feature phones may not be as prevelant as they used to be, but the fact that I don't store any PII on it beyond my Contact List means that even if it DOES get violated somehow then there isn't a whole lot an attacker can steal. (Because it doesn't run applications, doesn't connect to the internet, doesn't play games, and simply makes/takes calls, sends messages, & has functions like a calculator, there isn't much TO attack in the first place.)

    Do I want a SmartPhone? Hell yes. Do situations like this make me reconsider getting one? Damn skippy. If the manufacturer can't be bothered to update the device & my carrier couldn't give a fuck about my security, then there's zero chance that I'll be able to make an end run around the both to do it myself.

    *Sigh*

  11. Anonymous Coward
    Anonymous Coward

    What did they consider "out of date" for iOS?

    If 8.4 was current when they did this survey, was anything older out of date? Or anything earlier than 8.0? Every new version of iOS and every new version of Android includes some security fixes, so obviously even if you are 100% up to date you are still vulnerable to some stuff they don't know about, or know about but haven't delivered a fix for yet. Being up to date only means you're vulnerable to less than if you were on an older version.

    They seem to pretend that being "up to date" is a panacea and some arbitrary "out of date" line is bad. It is more of a sliding scale. Since there aren't any active large scale exploits happening with iOS, or with Android, at this time the risk is mostly theoretical. When such attacks begin (and I have no doubt they will come) then you can worry about x% of phones being vulnerable.

    The key there is that iOS users will be able to take action to update their phone and eliminate the risk, while most Android users will be left without any recourse short of buying a new phone. I'm sure Android OEMs will enjoy the windfall that results from their own dereliction of duty, though part of that windfall may come Apple's way due to their better support for updates.

  12. Nate Amsden

    count me in

    Actively refusing android 5 upgrade by having wifi off most of the time.

    Only reason i have a passcode is i had to install a custom ssl cert for my personal owncloud server for address book sync because android does not support the CA i bought it from. Otherwise would have no passcode.

    I've never lost my phone nor had it stolen(had cell phones since 1998). I'm very careful what apps i install. Based on history i believe my vulnerability is very very low even without a passcode on the phone.

    Also i don't do anything like online banking on phone either. I do use company vpn on occasion with duo security two factor (though it uses phone for 2nd factor)

    1. Adam 1

      Re: count me in

      Does your 2FA use the same phone you are VPNing from? If so, you may want to think about the 2 in 2FA

  13. AlexV
    Pirate

    Rooting shouldn't be necessary

    If the OS held me as the highest authority on what may or may not be done on my own device, as it damn well should.

    *I* get to say what is installed, uninstalled, backed up, copied or modified. *I* can grant or deny an app whatever permissions I deem appropriate, and whatever knowledge of those permissions I choose. Do you have permissions to access SMS, or do I just have no messages, and messages you send have no effect? That's my decision.

    1. Anonymous Coward
      Anonymous Coward

      Re: Rooting shouldn't be necessary

      No, you don't, because the software isn't yours. Therefore, you cannot be held in the highest regard anywhere in the mobile world. Neither for that matter do you own the firmware needed to make the phone run, which is all protected by patents and/or trade secrets. You want to use a cell phone, you need to agree to licenses and so on. Cost of doing business; Take It Or Leave It.

  14. Anonymous Coward
    Anonymous Coward

    Phones are just a dry run for the Internet of Things.

    It's all going to end in tears as, based on current manufacturer's performance, those devices will never all be patched. The DDOSers must be rubbing their hands in glee.

    Don't get me started on security updates for cars...

  15. Anonymous Coward
    Anonymous Coward

    Which is why...

    Using a mobile phone for banking or financial transactions is a really stupid idea, no matter how convenient it is.

    Unless, risking identity theft doesn't bother you.

    1. Anonymous Coward
      Anonymous Coward

      Re: Which is why...

      You think that's bad? What about those ubiquitous security cameras at the brick-and-mortar branches? Sure, they say they're for your protection, but given the DTA nature of today's world, can you really, REALLY be sure about that...?

  16. Phil Kingston

    Why is this deemed a negative?

    I must save hours a year by not having to type in a PIN every time I look at my device.

    And patching's the same - each patch makes it a bit slower, so why bother? I'll take the performance route and just not install untrusted cack/visit dodgy sites etc.

    This idea that if you don't keep patched and have a ridiculous passcode then the world will end is bobbins.

    If it really matters, I havent insured the handset either.

    1. Anonymous Coward
      Anonymous Coward

      So you don't care if someone mugs you and rips the phone out of your hands?

      As for not patching because you don't visit dodgy places, does the phrase "drive-by attack" put you short? Those attacks are placed at mainstream sites and can use mainstream networks that can get past ad blockers.

      Your world may just end if your stolen phone results in identity theft or a serious breach that results in you getting fired or worse having to pay through the nose in court or whatever, and note that there have been some pretty serious people that got their details nicked in this very way.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like