Many individuals working across US government agencies and organizations are using smartphones with outdated operating systems, putting both them and the organizations they work for at major risk of identity theft (opens in new tab), data leaks, and other forms of cybercrime.
A report from cybersecurity experts Lookout analyzing some 200 million devices and 175 million application, between 2021 and H2 2022 found US government workers are rather slow when it comes to mobile phone updates.
In fact, ten months after iOS 15 was released, 5% of federal government employees, and almost a third (30%) of state and local government devices, were still running older versions of the operating system.
Security risks
But iOS is a closed ecosystem in which Apple builds and pushes updates to all iOS-powered devices – whereas Android is much more decentralized and thus, riskier.
When Google releases a new update, it first needs to be adopted and tweaked by device manufacturers (for example Samsung, LG, Asus, OnePlus, and even Google itself) before being pushed to their respective endpoints (opens in new tab).
That makes Android updates significantly slower to roll out compared to iOS. As a matter of fact, ten months after releasing Android 12 (which was the latest version at the time of the analysis), 30% of federal devices, and almost 50% of state and local government devices, were still sporting older versions.
Running outdated versions of the operating system is a major cybersecurity risk, because older versions have known vulnerabilities that cybercriminals can easily exploit to bypass mobile antivirus solutions and deliver all kinds of nasty malware.
At one point, older versions reach end of life and stop receiving support through security updates. In other words, if a vulnerability is found after end of life, it will stay unpatched, giving threat actors an easy way into the devices.
Google, for example, no longer supports Android 8 and 9, which are still being used by 10.7% of federal government employees, and 17.7% of state and logal government employees. According to BleepingComputer, these two versions have two thousand known vulnerabilities that will never be fixed.
Via: BleepingComputer (opens in new tab)