|
Author | Should I download software updates while abroad? |
Henrick Wibell Hellström 2021-07-30 01:37:45 Registered user |
Generally, keeping everything updated - from the OS of your devices, to the AV software and apps you use - is the single most important thing you can do, if you want to retain some basic semblance of IT security. And for the most part this is a securely implemented process: Updates can be signed to prove their authenticity and integrity, and point-to-point security can ensure that you download it from a legitimate source. If your device was secure when you acquired it, aggregated updates that are provided through an update process that is properly implemented, configured and used, will constitute an unbroken chain. And in such case, and in this sense, updating your device is essential for your security.
But there are exceptions. Firstly, a trivial observation is that security updates are meant to fix existing security issues. That is, security issues with the existing software on the device. Ultimately, this implies that the update process cannot really be guaranteed to be completely secure, as assumed in the above, idealized depiction of the process. There are flaws with the preexisting software, and those flaws will be known by some, at the time of the update. If you are familiar with the concept of Zero Day Exploits, you will recognize that this observation is not without consequence. Secondly, the cryptographic methods that ensure the integrity and authenticity of pending updates, are not completely cost-free. Sometimes there will be a noticeable trade-off between security and performance, and only the latter has an immediate impact on user experience. It is not unheard of that update verification, in some circumstances, is turned off, just to reduce the performance impact of the update process. Update verification might not even be implemented. Thirdly, would you spend time and resources on spamming people with phishing email, if you were able to hijack the update process of the mobile devices of your targets? Of course not. Let's say you know that the president of a major power uses an off-the-shelf mobile phone; that this particular brand has an update process that can be compromised by anyone who controls the network, say features such as IP mapping or DNS; that you work for the intelligence agency of a foreign country; and that the aforementioned president is about to visit your country - would you pass on the opportunity to covertly take control over central Internet infrastructure in your country and trick the aforementioned mobile phone into downloading an update that makes it turn on the microphone and camera and stream the recording to your server? Of course not. You might or might not worry about any of this. But if you are reading this, chances are you live in a country where it is harder for the government to legally spy on its own citizens, compared to foreigners. Only download updates while connected to your private network. (This is not a fool proof solution, e.g. in case you are a criminal under investigation by law enforcement. But for everyone else: If you can't even trust your own network, you are probably screwed anyway.) |