Half of iPhones on corporate networks run outdated iOS versions
Unpatched and end-of-life devices that are no longer supported by the manufacturer are much more prevalent than expected and create significant risk for corporate networks.
Duo Labs research draws on data gathered from thousands of customer deployments in more than 150 countries worldwide.
About half of Apple iPhone users are currently running outdated software (version iOS 8.3, released in April 2015, or earlier), leaving them exposed to several hundred documented vulnerabilities, including the Ins0mnia vulnerability which attackers can use to surreptitiously steal data from phones using hidden applications.
Five days after the release of iOS 8.4.1, which addressed over 70 documented critical vulnerabilities (including Quicksand and Ins0mnia), only nine percent of the phones had been updated to the latest release of iOS software.
31 percent of iPhones are still using iOS 8.2 (released in March 2015) or an even older version of iOS, meaning they lack updates that address over 160 known critical vulnerabilities, including a Masque Attack, where a malicious app can masquerade as a legitimate app.
Of the 700 million-plus iPhones that Apple has shipped since 2008, Duo Labs research suggests that at as many as 20 million of these end-of-life iPhones may still be in service, but cannot be updated to current versions of iOS. This leaves organizations exposed to literally thousands of vulnerabilities — many of the highest severity.
Dug Song, CEO and co-founder of Duo Security said: “Personal mobile devices are now de facto corporate devices. So companies need to review their policies on software patching and updates to reflect this new world of BYOD to work. Companies can secure their networks with two-factor authentication and a wide variety of other security solutions, but unpatched devices still create significant risk for enterprise IT departments and network security.”