I have come to a realization that I’m not very fond of, but in the world of security vs. convenience, security has to prevail.
As we start having more and more smart things around us – from dishwashers to smart phones, we need to consider whether the manufacturer and/or distributor is committed to our security. This comes out of a conversation that I had with Verizon and LG Electronics today which I will briefly recount below.
I have a moderately new Android phone – not even two years old – and I stopped getting patches in June. In a conversation with Verizon today – even after escalating the call three levels up, it became clear that they could care less about security. The first two levels couldn’t even comprehend my question about why I wasn’t getting security patches. The third level blamed LG.
When I contacted LG, they attempted to blame Google even though Google has released patches for the version of the Android OS that I am running, each and every month. Patches that, apparently, LG is not.
It is also important to understand that this is not limited to phones. Not limited to tablets. In fact, it applies to any “smart” Internet connected device. As an example, when GE came to repair my dishwasher, the tech was not allowed to close the repair ticket until he patched my dishwasher. Of course, if the dishwasher hadn’t broken it would not have been patched, but at least it is a start.
So here is the realization.
IF you or your company is concerned about security, then one of the criteria to eliminate vendors from consideration should be security.
If a vendor does not commit in writing to provide patches for what you consider the life expectancy of the device, then THAT VENDOR SHOULD BE ELIMINATED FROM CONSIDERATION. Then you pick the vendor that you select from among the vendors still in the running.
Up until now, security hasn’t been a selection criteria, never mind an elimination criteria.
And this applies just as much to dishwashers as to phones.
When it comes to both phones and dishwashers, the unpopular part is that we may have to REPLACE devices that are still working but are no longer being patched by the vendor. The alternative is to completely isolate the device, disconnect it from the Internet or remove any sensitive information from it. That won’t work very well for a phone, for example.
If you choose to completely isolate it from every other device, which is certainly an option, it may not be able to perform the functions that it needs to. If all the device needs is access to the Internet then it is pretty easy to isolate it from all other devices, but if it needs to interact with say, a copier or a file server or something else, then it is much harder and the patching question needs to come back into consideration.
Specifically when it comes to phones, if patches are an issue ,then Apple wins hands down. An iPhone 5s released in 2013 is still being patched. My two year old Android phone is on the edge of it’s useful life due to patches. Or lack thereof.
Remember that when the next big bug comes out – like BroadPwn – if your phone isn’t being patched then the hackers have all the advantage. They can compromise the device and from there, steal all the information on the device (which this week seems to include, once again, nude pictures of celebrities) and from there, infect the company network(s) that it is attached to.
If you not an Apple fan, then when it comes to Android, Google wins hands down, even if it is not as good as Apple, it is better than most. Google has committed to providing version updates for two years after the phone is RELEASED and providing security patches for three years. Three years is not as good as four or five years, but it is better than most.
When we add other connected devices such as IoT devices into the mix it becomes even more complicated. Many IoT devices require network access and for most personal (home) networks, there is not an easy way for people to isolate them from their sensitive devices like laptops.
So, I think there are two conclusions here –
- Security needs to be a primary consideration when it comes to choosing a vendor. I have decided that my next phone will be a Google phone even though it may not be the sexiest phone around. And,
- When it comes to both HOME and small business networks, we need to figure out a way to isolate those devices that we really don’t trust for some reason from the rest of the network. It is way too hard right now. For me, at home, I have two physically separated networks with two separate Internet connections from two different providers, but how many people will go to that level of effort and expense. Not many!
No source for this post – just me ranting 🙂 !