“Mike, you don’t have to go in at noon. Computers down.”
A note my roommate left on the fridge. August 12, 2003.
I was working support at a call center that summer between university terms. Sometime in the early morning of August 12th, hundreds of Windows computers at my workplace started randomly shutting down. Later that day, I started getting calls from friends and family about computers “acting weird”. Yes, even my own computer went down that evening. Windows machines were becoming infected and going down all over the world.
The cause was a little worm named Blaster (or MSBlaster or Lovesan; it depends on who you ask). It was a virus that took down every Windows machine it touched spreading through your internet service provider’s own network. And there was nothing anyone could do…
Or was there?
In fact, the millions of dollars of lost productivity and IT costs to clean up the mess could have been avoided. Like many major exploits used in large scale attacks, the vulnerability was known and could have been fixed in an update. Unfortunately, updating tools at the time were only used by system admins and tech savy folks. Ten years ago, updating Windows was simply not a thing “normal” people did.
However, the reality of the increasingly interconnected world of the 21st century meant that something had to be done. Blaster was just part of a wave. Earlier in 2003, Slammer was another nasty data-destorying attack that spread throughout the world using a Microsoft SQL exploit that was well documented, but not patched. Blaster, Slammer, their innumerable variants, and future potential threats caused Microsoft to come to the only logical conclusion.
Updates for an operating system were no longer optional.
Not just for system admins anymore, updates had to be provided to the whole computer using community. Everyone has to be secure or no one is safe. Therefore, updating had to be easy, built in, and automatic from here on out. This lead to the creation of one of the most important updates Microsoft ever deployed: Windows XP Service Pack 2 with Security Center. The worlds most prevalent operating system started notifying you to update regularly. Updating your computer regularly became a part of your life.
So, what does this have to do with Android?
Currently, the vast majority of Android devices are not running the latest version. At this time, only 8.5% of Android users are using the latest version of operating system (Android Kitkat version 4.4) that came out 8 months ago. For comparison, Apple has updated 88% of iOS users to iOS 7 (also released last September).
The difference here is that, like Microsoft, Apple controls their updating of iOS devices on their end. For Google, the Android devices are at the mercy of the hardware manufactures and cell providers to get updates out. Without going into all the details of how Android updates work (HTC posted some details about this embarrassing phenomenon themselves) let’s just say that the logistics of this situation are kind of insane.
This means that Android version updates take about 5 to 10 months to deploy after release for most manufacturers, but that is only for the newest devices. Cheaper devices may get one update, but many never get any.
For a great example of how bad updating is on Android, you don’t have to look any further than the best-selling Android device of all time, the Samsung Galaxy S3. It was released with Android 4.1 and it took so long to update to 4.2 that Samsung ended up "skipping Android 4.2 and going straight to 4.3. And now, with the device not even two years old, it appears most versions of the device will never get an update to 4.4. If this device is not being properly supported, what is?
Even Google’s own Nexus phones fail to be updated after two years. So, if you were looking to hardware coming straight from Google to help, you’re still out of luck in the long run.
The simple fact is that there is no way for Google to quickly deploy a patch across all devices if a huge exploit were to arise. Let’s imagine that such an event happens. The current Nexus phones would get updates right away, but that’s only two devices. Most high end devices would take months. Many devices would never get updated no matter how bad the problem being exploited. On the other hand, if Apple wanted to do a release, it could deploy a patch to every iOS device tomorrow.
There are people that will tell you that this doesn’t matter. One of the key arguments I have heard is that Google updates services on an Android device now, so you can still get the latest services and apps even on older devices. The problem is many vulnerabilities just can’t be fixed without an operating system update. An operating system cannot be updated solely through the /app folder.
So, do major vulnerabilities in Android already exists? How widespread are they? They sure do and they are on millions of devices that will never see an update again. There is one particularly bad exploit that would allow full control over your device. This issue affects all devices with version 4.2.1 and lower. Currently, that means about 64% of Android users are susceptible to this one venerability.
Google needs to fix Android updating in a real way, but it doesn’t seem like they are able to solve this issue. Microsoft learned this the hard way 10 years ago and every other tech company seemed to follow suit. Android is fundamentally flawed in the way it is built and developed so that there is no way to effectively keep it updated for the general user base.
So, I am looking to you, my tech-minded friends. Let people know the time-bombs they hold in their hands. Too many that should know better are encouraging friends and family to buy products that are not safe. The way people rely on their phones and the amount of private information they hold today should have everyone aware of the security of their most intimate device, their phone. And if they aren’t, as their technically inclined friend, don’t you have some responsibility to help them understand?
Remember, what comes to their device may not be a Blaster-like meltdown. It doesn’t have to be that obtuse. Lots of malware is lurking out there, looking for the many unpatched exploits in your friends’ Android devices to steal their data, to steal their privacy, and to annoy them. This is one of the major issues with Android phones right now that makes it impossible for me to recommend. It’s an issue that doesn’t exist in any other modern-day operating system and it is inexcusable for users to have to deal with these dangers.
Tell your friends.