Cell Phone Security Updates: Voluntary or Involuntary?
Should mobile carriers push out updated software to customers regardless of choice, or is it safer to have the users request the updates?
What caught my eye was a headline about a mobile phone provider pushing a security update out to its customers. The wireless folks refer to this as an over the air (OTA) update. It certainly made me stop and think a bit about the current state of things. Lets consider a few points here.
Im going to preface this by saying that Im not a big fan of security patches to software. Theyre the worst possible form of securing software, but theyre still a necessary evil in todays world.
Weve been doing software patches for years, of course. Windows, OS X, Linux, and others all have automated and pretty mature methods for updating and patching software. Until not that long ago, however, the solution for updating software on mobile devices was pretty archaic. Even Apples iPhone uses a pull-based firmware update mechanism.
Heck, a lot of todays software does that at an application level these days as well.
But these are all pull solutions. What caught my eye in the headline was that the mobile carrier was pushing the updated software out to their customers, presumably on an involuntary basis.
There are several interesting ramifications to this act.
For one thing, updates should go out to all the customers of the affected device (assuming the carrier knows that information), irrespective of whether they have chosen to receive the updates. That should mean that the security state will improve across all of those devices, right? At least in theory.
On the latest versions of Windows, the updater is enabled by default, and a user would have to disable it knowingly to turn off the updating. I wonder if customers on this mobile carrier are able to opt out of the updating
What if something goes wrong with the update? Software sometimes misbehaves. Subtle differences in hardware versions, chips, etc., might make the software work fine on most devices, but fail on others, for example. I hope the provider has done a thorough job at testing the update on many versions of the device.
What about application software? Have you ever updated an operating system on a server, only to find out that your favorite application software no longer works properly, or even works at all? Since the phone Im referring to allows for users to install application software on it, Im certain this is an issue.
Another significant area of concern I have is the updating infrastructure itself. Almost overnight, that infrastructure and all the components contained in it have become a very high value target for the service provider. It wouldnt be the first time a vendors update server has been attacked, for sure.
Its sort of reminiscent of a Far Side comic I saw years ago in which two bears are talking. One bear has a massive target on his chest, and the other bear says something akin to bummer of a birthmark.
From an attackers perspective, there can be few juicier targets than a software update server. After all, the updater would represent a tremendous force multiplier for the attacker. Compromise one system, and many (!) systems will follow.
I hope that the provider has done a fabulous job at protecting that server and preventing rogue updates from being accepted by the mobile client devices. I suspect they have, but only time will tell.
So there are certainly operational as well as security risks involved in doing a push-based update. Its pretty darned likely that most of these are not insurmountable, but they are nonetheless risks. I also suspect that therell be some percentage of the devices that simply fail during the update process.
Viewed as a whole, however, I think the risks outweigh the gains. We often hear of the dangers of monocultures in our computing environments. Well, for pushing security updates out to clients, perhaps theres even some value in having a monoculture at times.
When we look at how wildly prolific the conficker worm has been recently, despite the fact that Microsoft patched the underlying vulnerability it exploits, there certainly seems to be a compelling argument in favor of push-based updaters.
I feel thats the big lesson to be learned from this, and its why I believe the mobile service provider has made a good choice here. Much as it would make me uncomfortable if my software providers ever updated my software without me opting in to the process, theres definitely benefit to be gained from doing so.