GKSD - stock.adobe.com

Most UK enterprise mobiles not patched for Meltdown and Spectre

Very few UK enterprise mobile devices have been patched against the recently discovered Meltdown and Spectre exploits and almost a quarter cannot be patched, a study shows

An analysis of 100,000 UK corporate-owned and managed mobile phones and tablets has revealed that only 4% have security updates for the Meltdown and Spectre exploits and 24% cannot be updated due to the age of the device.

The study is based on anonymised and aggregated data from devices across the public, private and third sectors that are managed by the IronWorks mobile management system operated by information security and risk management firm Bridgeway.

This means that despite the speedy release of security updates for the Android and iOS mobile operating systems, 72% of UK corporate mobile devices are still exposed to these critical vulnerabilities.

“The majority of companies are needlessly exposing their users, devices and, more importantly, corporate data to the risk of interception and exfiltration,” said Jason Holloway, managing director of Bridgeway. 

“In 2017, the global damage caused by ransomware attacks highlighted the importance of quickly patching vulnerabilities to mitigate the risks of attack and data loss. Organisations need to patch their mobile devices now, before they can be targeted.”

Holloway said mobile devices are equally at risk as traditional PCs and servers, but tend not to be top of the IT department’s priority patch list. “But with increasing amounts of sensitive corporate data being stored and accessed from these devices, they should be,” he said.

According to Bridgeway, mobile devices are the new target for cyber attackers, who are likely to use the Meltdown and Spectre exploits as soon as they can.

Read more about Spectre and Meltdown

The security firm also warned that many older mobile devices are running obsolete versions of operating systems, such as Android version 6.0 (Marshmallow), and may never be patched by suppliers and mobile network operators because these OS versions and devices will be unsupported by their hardware and OS manufacturers. In such cases, the only option remaining for an organisation is to replace the devices with new ones, said Bridgeway.

The security firm said organisations’ IT or security teams should check device manufacturers’ websites for the availability of updates, and then systematically apply them across their device estates as soon as possible. 

Bridgeway also advised companies to consider using an enterprise mobile management (EMM) system to disable untrusted sources, to prevent the user installing potentially malicious apps that could exploit the vulnerability, and to validate that the devices and apps accessing corporate networks are secured, managed and authorised.

Read more on Hackers and cybercrime prevention