Wireless security has been getting pushy recently. But seriously: Do you think we’re more secure?
What caught my eye was a headline about a mobile phone provider pushing a security update out to its customers. The wireless folks refer to this as an over the air (OTA) update. It certainly made me stop and think a bit about the current state of things. Let’s consider a few points here.
I’m going to preface this by saying that I’m not a big fan of security patches to software. They’re the worst possible form of securing software, but they’re still a necessary evil in today’s world.
We’ve been doing software patches for years, of course. Windows, OS X, Linux, and others all have automated and pretty mature methods for updating and patching software. Until not that long ago, however, the solution for updating software on mobile devices was pretty archaic. Even Apple’s iPhone uses a pull-based firmware update mechanism.
To be fair, some mobile phone carriers have had push-based OTA updates for a while now as well. But we’ve achieved new heights quite recently. What’s changed? Well, the operating system updaters I mentioned are all pull-based – meaning they periodically (or manually) poll the vendor for new versions of the software, and install them if they’re available and the user agrees.
Heck, a lot of today’s software does that at an application level these days as well.
But these are all pull solutions. What caught my eye in the headline was that the mobile carrier was pushing the updated software out to their customers, presumably on an involuntary basis.
There are several interesting ramifications to this act.
For one thing, updates should go out to all the customers of the affected device (assuming the carrier knows that information), irrespective of whether they have chosen to receive the updates. That should mean that the security state will improve across all of those devices, right? At least in theory.
On the latest versions of Windows, the updater is enabled by default, and a user would have to disable it knowingly to turn off the updating. I wonder if customers on this mobile carrier are able to opt out of the updating…
What if something goes wrong with the update? Software sometimes misbehaves. Subtle differences in hardware versions, chips, etc., might make the software work fine on most devices, but fail on others, for example. I hope the provider has done a thorough job at testing the update on many versions of the device.
What about application software? Have you ever updated an operating system on a server, only to find out that your favorite application software no longer works properly, or even works at all? Since the phone I’m referring to allows for users to install application software on it, I’m certain this is an issue.
Another significant area of concern I have is the updating infrastructure itself. Almost overnight, that infrastructure — and all the components contained in it — have become a very high value target for the service provider. It wouldn’t be the first time a vendor’s update server has been attacked, for sure.
It’s sort of reminiscent of a Far Side comic I saw years ago in which two bears are talking. One bear has a massive target on his chest, and the other bear says something akin to “bummer of a birthmark.”
From an attacker’s perspective, there can be few “juicier” targets than a software update server. After all, the updater would represent a tremendous force multiplier for the attacker. Compromise one system, and many (!) systems will follow.
I hope that the provider has done a fabulous job at protecting that server and preventing rogue updates from being accepted by the mobile client devices. I suspect they have, but only time will tell.
So there are certainly operational as well as security risks involved in doing a push-based update. It’s pretty darned likely that most of these are not insurmountable, but they are nonetheless risks. I also suspect that there’ll be some percentage of the devices that simply fail during the update process.
Viewed as a whole, however, I think the risks outweigh the gains. We often hear of the dangers of monocultures in our computing environments. Well, for pushing security updates out to clients, perhaps there’s even some value in having a monoculture at times.
When we look at how wildly prolific the conficker worm has been recently, despite the fact that Microsoft patched the underlying vulnerability it exploits, there certainly seems to be a compelling argument in favor of push-based updaters.
I feel that’s the big lesson to be learned from this, and it’s why I believe the mobile service provider has made a good choice here. Much as it would make me uncomfortable if my software providers ever updated my software without me opting in to the process, there’s definitely benefit to be gained from doing so.