ACLU Files Complaint With FTC Against Mobile Carriers Over Android Security Updates
The American Civil Liberties Union (ACLU) has filed an FTC complaint against AT&T, Sprint, T-Mobile, and Verizon Wireless, charging them deceptive and unfair business practices, because they leave customers exposed to harm by not updating their handset operating systems in a timely manner.
Chris Soghoian, principal technologist and senior policy analyst with the ACLU filed the complaint this week, and explained his reasoning in a blog post on the organization’s website.
At issue is the overall state of security of Android devices, which as mentioned in Symantec’s latest Internet Threat Report (citing research from Gartner), dominates the market with a majority (75%) share. Moreover, Symantec discovered that information stealing malware was the top threat targeting the Android platform, and the number of unique examples of such malicious applications grows daily.
“…[Yet] the majority of these devices are running software that is out of date, often with known, exploitable security vulnerabilities that have not been patched. For consumers running these devices, there is no legitimate software upgrade path. The problem isn’t that consumers aren’t installing updates, but rather, that updates simply aren’t available,” Soghoian wrote.
While Google regularly updates the Android platform, the telecoms regularly use modified versions of the “stock” operating system. These modifications are used to support the manufacturer’s hardware and other interface features, and as such they are “unique operating systems” that only the carrier’s can update. Yet research has shown that none of the telecoms listed offer regular updates. In fact, the complaint explains, the four carriers sell orphaned devices that have never received any feature or security updates since they were launched.
“The wireless carriers have failed to warn consumers that the smartphones sold to them are defective, that they are running vulnerable software, and that other smartphones are available that receive regular, prompt updates to which consumers could switch,” the complaint says.
Given this, plus the fact that the FTC itself has noted that software vulnerabilities need to be mitigated as they can lead to data loss, the complaint asks for three types of relief.
First, carriers should be compelled to warn all subscribers using carrier-supplied Android devices with known (and unpatched) vulnerabilities about them, and how to mitigate them. Customers with carrier-supplied devices should be allowed to end their contracts early if they do not receive regular security patches; and for those with carrier-supplied devices that are less than two-years old and haven’t had an update – the customer can exchange the device for a new model with a newer version of Android, or simply receive a full refund on the purchase price.
It’s unclear if anything will come out of this complaint, however the awareness has been raised – so that’s a start. Earlier this year Soghoian spoke about this issue at the Kaspersky Labs’ Security Analyst Summit, where he summed the issue up succinctly:
“You don’t need a zero-day exploit to attack most Android devices if consumers are running 13-month old software…”
Podcast: Chris Soghoian Talks Encryption, Exploit Sales and Telco Indifference on Security