Old, outdated iOS devices pose a significant risk to the network of any organization, and could easily put the business at risk of a data breach, a recent report from security firm Duo Security said.
Due to the fact that older devices often run operating systems that contain vulnerabilities patched in newer releases, even a single compromised iOS device connected to a network could put it in danger, and enterprises should make sure they have full visibility into the types of devices their employees use.
According to Duo Labs, half of the iPhones in use today run under OS 8.3 or older, which means that they are not protected against a whopping 100 known vulnerabilities that have been patched in iOS 8.4 and 8.4.1. Two of these are Ins0mnia and Quicksand, which allowed apps to steal data and exposed enterprise credentials and sensitive configuration details in an unprotected iOS directory, respectively.
Furthermore, the security firm notes that 31 percent of all iPhones are still running iOS 8.2 or lower, which means that they don’t have patches for more than 160 vulnerabilities. Worse than that, 14 percent of all iPhones run under iOS 7 or below.
Duo Labs found that roughly twenty million iPhone users cannot receive security updates because they have old devices, some of them still using five-year-old hardware that is no longer supported by Apple, which leaves them exposed to a large number of already known vulnerabilities.
“Based on our estimates, around 20 million iPhones are running on hardware that can’t receive security updates. In some cases, there are iPhone 4 devices running 7.1.2, but there are even older devices running even older iOS versions. That’s a huge risk to enterprise environments,” the security firm notes.
At the moment, iPhone 4s is the oldest platform that Apple still supports and which is expected to receive support in iOS 9 as well. However, should the company stop offering support for this version, around 60 million devices will no longer receive security updates.
While users can do nothing to improve the security of their devices, enterprises can set specific BOYD rules to prevent outdated devices from compromising their networks. This is important because many users are slow on installing new software releases.
“When iOS 8.4.1 was released to patch over 70 vulnerabilities, including Ins0mnia and Quicksand, only 9 percent of users updated to the latest version. Again, user awareness here is key – the goal is to update as soon as updates are available on their device,” Duo Labs said.
Organizations can also educate users on the importance of keeping their devices updated, and can provide them with information on how they can streamline the process, and can help them find convenient times to update.
While this study focused on risks around iOS, the same situation can happen with any outdated mobile operating system, such as the popular Android platform.