Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

ACLU Files FTC Complaint Against Mobile Carriers

ACLU Files Complaint With FTC Against Mobile Carriers Over Android Security Updates

ACLU Files Complaint With FTC Against Mobile Carriers Over Android Security Updates

The American Civil Liberties Union (ACLU) has filed an FTC complaint against AT&T, Sprint, T-Mobile, and Verizon Wireless, charging them deceptive and unfair business practices, because they leave customers exposed to harm by not updating their handset operating systems in a timely manner.

Chris Soghoian, principal technologist and senior policy analyst with the ACLU filed the complaint this week, and explained his reasoning in a blog post on the organization’s website.

At issue is the overall state of security of Android devices, which as mentioned in Symantec’s latest Internet Threat Report (citing research from Gartner), dominates the market with a majority (75%) share. Moreover, Symantec discovered that information stealing malware was the top threat targeting the Android platform, and the number of unique examples of such malicious applications grows daily. 

“…[Yet] the majority of these devices are running software that is out of date, often with known, exploitable security vulnerabilities that have not been patched. For consumers running these devices, there is no legitimate software upgrade path. The problem isn’t that consumers aren’t installing updates, but rather, that updates simply aren’t available,” Soghoian wrote.

While Google regularly updates the Android platform, the telecoms regularly use modified versions of the “stock” operating system. These modifications are used to support the manufacturer’s hardware and other interface features, and as such they are “unique operating systems” that only the carrier’s can update. Yet research has shown that none of the telecoms listed offer regular updates. In fact, the complaint explains, the four carriers sell orphaned devices that have never received any feature or security updates since they were launched.

“The wireless carriers have failed to warn consumers that the smartphones sold to them are defective, that they are running vulnerable software, and that other smartphones are available that receive regular, prompt updates to which consumers could switch,” the complaint says.  

Given this, plus the fact that the FTC itself has noted that software vulnerabilities need to be mitigated as they can lead to data loss, the complaint asks for three types of relief.

First, carriers should be compelled to warn all subscribers using carrier-supplied Android devices with known (and unpatched) vulnerabilities about them, and how to mitigate them. Customers with carrier-supplied devices should be allowed to end their contracts early if they do not receive regular security patches; and for those with carrier-supplied devices that are less than two-years old and haven’t had an update – the customer can exchange the device for a new model with a newer version of Android, or simply receive a full refund on the purchase price.

It’s unclear if anything will come out of this complaint, however the awareness has been raised – so that’s a start. Earlier this year Soghoian spoke about this issue at the Kaspersky Labs’ Security Analyst Summit, where he summed the issue up succinctly:

“You don’t need a zero-day exploit to attack most Android devices if consumers are running 13-month old software…” 

Podcast: Chris Soghoian Talks Encryption, Exploit Sales and Telco Indifference on Security

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Chinese tech giant Huawei patched nearly 300 vulnerabilities in its HarmonyOS operating system in 2022.