The Department of Homeland Security and its obsolete Android OS problem

Patches and updates are a regular part of digital life. But apparently not regular enough, even among those who ought to know better — public safety departments.

[Experts weigh in with wish lists for Android 4.4 KitKat security]

The Department of Homeland Security (DHS) and the FBI issued a warning memo a couple of months ago to police and fire departments plus emergency medical service providers and security personnel that Android devices with out-of-date operating systems pose a serious security risk to their organizations.

While the memo was not classified, a press spokesman at the DHS said it was FOUO (For Official Use Only), and he therefore would not answer any questions about it, including how many public safety departments could be affected, what the response to the warning had been and whether any breaches or other compromises have been reported to the U.S. Computer Emergency Readiness Team (US-CERT) as instructed by the memo.

But the memo cited unspecified “industry reporting” that, “44 percent of Android users are still using versions 2.3.3 through 2.3.7 – known as Gingerbread – which were released in 2011 and have a number of security vulnerabilities that were fixed in later versions.”

Google’s own figures on its site for Android developers estimate that percentage at about a third less — 30.7 percent. But it also showed 21.7 percent using versions 4.0.3-4.0.4, called Ice Cream Sandwich, which is also out of date. Less than half – 45.1 percent – are using the latest OS, called Jelly Bean, and of that group, 36.6 percent are using 4.1, and only 8.5 percent are using 4.2, which is the latest OS.

With Android dominating the mobile OS market – Juniper Networks puts its share at 67.7 percent – that makes Android easily the most attractive target for malicious attacks, and puts hundreds of millions of users at risk — apparently including many in the public safety industry.

The DHS/FBI memo cited SMS Trojans, Rootkits and fake Google Play Domains as among the top security threats to out-of-date Android devices. It recommended regular updates, running an “Android security suite” and downloading apps only from the official Google Play Store.

But, updating an Android device is not always as easy or convenient as simply taking a few minutes to download a patch or the latest OS. While they are free, the hardware frequently cannot use them.

[Samsung fortifies enterprise security on is Android phones]

“There is a wide variety of Android OEM versions rolled out to a huge number of different handsets, and not all carriers and handset OEMs will allow you to upgrade to the latest version,” said Mario de Boer, research director, Security and Risk Management Strategies at Gartner for Technical Professionals.

“So, the Android versions that can run are restricted per device. Even now it is possible to buy Gingerbread devices that cannot be upgraded to Jelly Bean.”

That point was emphasized by Android’s chief competitor, Apple CEO Tim Cook (a distant second at 19 percent of the mobile OS market), who in a recent interview with Bloomberg BusinessWeek said incompatibilities among Android versions make each like an entirely different species.

“By the time (customers) exit, they’re using an operating system that’s three or four years old. That would be like me right now having in my pocket iOS 3. I can’t imagine it,” Cook said.

Troy Vennon, director of the Mobile Threat Center at Juniper Networks, said there is a, “long lag time between when updates are created by Google and when the carriers make them available to users. This gap is a significant security concern.”

He added that this “fragmented ecosystem,” not just Android’s dominance of the market, is what makes it such an attractive target for cybercriminals.

[10 tips for Android security]

A long-term member of the security community, formerly associated with the KNOS Project, declined to be identified due to his current employment, but said part of the problem until recently has been devices with inexpensive ROM memory, in which, “the code for the OS is frozen in the chipset. These cannot be updated without replacing the electronics.”

But, he said “EPROM,” or upgradable flash memory, has become less expensive, which has largely eliminated that problem, “although some of those older phones are still out there in use.” The other problem, however, “is that updating the OS on a phone eats a crapload of bandwidth, because you’ve got to push a lot of data out to each individual phone whenever something changes.

“That’s an enormous expense, and different data has to go to each particular model and revision of phone by each individual carrier,” he said.

The danger from the failure to upgrade is severe, he and others say. “Phones are the Trojan horses inside the firewall,” he said. “They belong to ‘trusted users’ who have access inside that firewall. If malware gets in there at all, then it can piggyback on top of all the legitimate apps they’re using, just like on a PC or Mac.”

And according to Vennon, it is a problem not easily solved. “Google’s decentralized ecosystem has made it difficult for software updates, including security patches, to make their way to Android users,” he said. “Each Android update from Google must be adapted and then tested by handset makers for each of their many hardware variants. That update is distributed to carriers who, in turn, push it to their customers.”

De Boer said the only solution for now is to block the use of Android devices that are not running the latest OS. “Apply admission control,” he said. “If your smartphones or tablet is running a vulnerable OS, you cannot get access to the specific service or data.”

But, he admitted, “this is hard to accomplish for voice and text, and easier for email and access to files.”

The fundamental problem, said the former KNOS Project employee, is that most of the smartphones that populate the BYOD revolution are not designed with corporate or government security in mind.

“Consumer-grade products, not fully supported for security by either their manufacturers and especially not by the carriers, are dangerous objects behind that firewall,” he said.