Just 4% of enterprise mobile devices have been patched against the Meltdown and Spectre vulnerabilities which were revealed two weeks ago, according to new research from Bridgeway, a leading information security specialist.
The research is based on new analysis of over 100,000 corporate-owned and managed mobile phones and tablets across UK private, public and third-sector organisations. Bridgeway’s research found that a minimum of 72% of devices are still exposed to these critical vulnerabilities.
This is despite updates and patches for both Android and iOS devices – which make up the overwhelming majority of devices – being available from vendors for over a week. The research, conducted on Monday 15 January, is based on anonymised and aggregated data taken from Bridgeway’s IronWorks mobile management reporting solution, which gives organisations enhanced visibility into and reporting on the status of their mobile devices.
The research found that only 4% of devices had been patched, with 72% of devices monitored being vulnerable to Meltdown and Spectre, and with a further 24% also likely to be vulnerable and currently impossible to patch due to the age of the device.
“In 2017, the global damage caused by ransomware attacks highlighted the importance of quickly patching vulnerabilities, to mitigate the risks of attack and data loss,” said Jason Holloway, managing director of Bridgeway. “Mobile devices, although equally at risk as traditional PCs and servers, may not have been top of the IT department’s priority patch list, but with increasing amounts of sensitive corporate data being stored and accessed from these devices, they should be.”
“It’s worrying that only 4% of organisations have applied updates to protect their devices against Meltdown and Spectre: it means the majority of companies are needlessly exposing their users, devices and more importantly, corporate data, to the risk of interception and exfiltration. Mobile devices are the new target for hackers, who will be looking to exploit these flaws as quickly as they can. Organisations need to patch their mobile devices now, before they can be targeted.”
Bridgeway also warned that many older mobile devices are running obsolete versions of operating systems, e.g. older than Android version 6.0 (Marshmallow), may never be patched by vendors and mobile network operators. This is because these OS versions and devices will be unsupported by their hardware and OS manufacturers and in these cases, the only option remaining for the organisation will be to replace the devices with new.
Bridgeway advises that organisations’ IT or security teams check device manufacturers’ websites for the availability of updates, and to systematically apply them across their device estates as soon as possible. It also advises that companies also consider using an enterprise mobile management (EMM) solution to disable untrusted sources, to prevent the user installing potentially malicious apps that could exploit the vulnerability, and to validate that the devices and apps accessing corporate networks are secured, managed, and authorised.