Security & Privacy

Caution! These Black Friday “deals” may be bad for your security

Posted on November 22nd, 2017 by

Black Friday Deals Security

Each year, retailers announce door-busting deals on items they think will attract customers into stores the day after the U.S. Thanksgiving holiday, which marks the theoretical start of the holiday shopping season.

Online retailers are no stranger to this popular shopping day, known as “Black Friday,” along with its neighbor Cyber Monday. Electronic gadgets are often one of the most popular items for sale.

As I began to casually browse for early Black Friday deals this year, I noticed something disturbing.

At one particular retailer, one of the “deals” was a heavily discounted iPhone 5c. And as I kept browsing, I saw more “deals” for other iPhones and iPads of a similar vintage.

What could possibly be disturbing about an iPhone 5c, you might ask? (Besides the horror of buying a phone that’s already four years old.)

What I found so disturbing is that the iPhone in question is no longer receiving any operating system updates or security patches from Apple. Anyone who buys an iPhone 5c, even if it’s “brand new” and unopened, will forever be stuck with iOS 10.3.3, which already has 114 known security vulnerabilities that Apple will never patch—including the very serious KRACK Attack vulnerabilities.

But it’s not just the iPhone 5c to watch out for. The same retailer was also advertising iPhone 4, 4S, and 5, as well as iPad 2 and iPad (4th generation), some with the claim “warranty included” which may mislead potential buyers into assuming that the device is still being supported by Apple. Quite the contrary, none of these devices is still receiving security updates.

Warning! These “bargain” devices are unsafe to use online.

And it’s not just Apple devices about which consumers should be cautious. Many cheap Android tablets and smartphones are being sold with Android 7.0, 6.0, or older; the current version is Android 8.0 Oreo, which may not be compatible with all of the super-cheap tablets and phones being sold this season.

As an aside, consumers should also be cautious about cheap or off-brand “Internet of Things” devices such as Internet-enabled baby monitors, security cameras, and other products, which frequently have poor security and wind up becoming infected and part of a botnet (put another way, the device becomes a zombie in a collection of compromised devices that does an attacker’s bidding).

If you get nothing else out of this article, please take to heart the following advice:

Resist the urge to buy any Internet-enabled device on impulse; do your homework and make sure the product and its manufacturer have good reputations and a track record of taking security seriously, and that the device is still receiving frequent firmware or operating system updates from the manufacturer. If you’re not sure how to research this yourself, a good place to start is to check whether the manufacturer is still advertising or directly selling the device on the official company site. When in doubt, ask a knowledgeable IT person for help identifying whether or not a product is likely to be safe.

Unfortunately, the average consumer has no concept of how dangerous it is to use products that will have perpetual zero-day vulnerabilities. Using discontinued or unpatched Internet-enabled devices is a bit like driving at high speeds daily without ever having learned about seatbelt safety; it’s a dangerous prospect, and sooner or later you’re likely to get hurt. That’s why one of our goals at Intego is to help educate consumers and give them the knowledge and tools they need to stay safe online.

For additional tips on safe online shopping, see our article Cyber Monday: 5 Essential Tips to Stay Safe Shopping Online.

Please, won’t you take a moment to share this word of caution with your friends and loved ones this holiday shopping season?


About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh's security research has been featured by many fine publications such as CNET, CBS News, ZDNet UK, Lifehacker, CIO, Macworld, The Register, and MacTech Magazine. Look for more of Josh's articles at and follow him on Twitter. View all posts by Joshua Long →