ACLU To FTC: Force Wireless Carriers To Secure Their Customers’ Smartphones With Available Updates
Anyone who has had their Android smartphone infected with malware will be interested in following the ACLU’s new efforts to better secure your device.
The ACLU has filed a formal complaint with the Federal Trade Commission, asking the agency to force the four biggest mobile carriers (AT&T, Verizon Wireless, Sprint Nextel, and T-Mobile USA) to begin providing Google-released security updates to their Android users.
Presently, wireless carriers decide arbitrarily whether or not they’ll provide these security updates to their customers. The ACLU warns that “there is no legitimate software upgrade path” for the Android customer, beyond having it provided by the carrier. And without these important security patches, customers risk being hacked — their phones remotely hijacked, their personal and private data stolen, their money fleeced from their online bank accounts.
The ACLU’s Principal Technologist and Senior Policy Analyst, Christopher Soghoian, wrote in the document filed with the FTC:
All four of the major wireless carriers consistently fail to provide consumers with available security updates to repair known security vulnerabilities in the software operating on mobile devices. [...]
The wireless carriers have failed to warn consumers that the smartphones sold to them are defective and that they are running vulnerable operating system and browser software. The delivery of software updates to consumers is not just an industry best practice, but is in fact a basic requirement for companies selling computing devices that they know will be used to store sensitive information, such as intimate photographs, e-mail, instant messages, and online banking credentials.
The ACLU contends that these failures “constitute deceptive and unfair business practices subject to review by the FTC under section 5 of The Federal Trade Commission Act.” If the carriers refuse to provide important security updates, the ACLU states, then the “FTC should at a minimum force them to provide device refunds to consumers and allow consumers to terminate their contracts without penalty so that they can switch to a provider who will.”
JUST HOW BIG IS THIS PROBLEM?
Google’s Android operating system accounts for 75% of the entire smartphone market. This overwhelming dominance has helped make it a prime target for ‘black-hat’ hackers, who exploit vulnerabilities for nefarious, often criminal, purposes. Security company Kaspersky revealed in its Security Bulletin 2012 that “99% of newly discovered mobile malicious programs target the Android platform.” The monthly discovery rate for Android malware has skyrocketed from 8 per month in January 2011 to 800 per month by year end 2011 to a staggering 6,300 per month by year end 2012.
And despite Android’s exploding malware epidemic, only 2% of all Android users have received the latest Google security update from their carriers. Most of them never will.
Ars Technica’s Casey Johnston investigated the roll-out of security updates by manufacturers and wireless carriers. Her article charts the time in months between Google’s update release against the date it was applied to each smartphone. Some phones, she discovered, “never received updates during their lifetime.” She added that “all [the] phones we looked at had Android updates available to them within a reasonable time frame relative to the handset’s release, but the carrier or manufacturer never got around to pushing one out.”
She also found that all the carriers continue to sell phones which they have already ‘orphaned’ — meaning the carrier has no intentions of ever providing a security update to the phone, even if the update is vital for patching a severe vulnerability. The ACLU contends that the carriers have a duty to inform the customer of the severe security risks inherent in these ‘orphaned’ phones, before they purchase them.
For those in the market for a new Android smartphone, but who cannot wait for the ACLU’s efforts to pan out, there is only one Android smartphone guaranteed to receive timely security updates: Nexus. This is Google’s own Android smartphone. Google partners with others (Samsung, HTC, LG, etc) to design and manufacture the Nexus line, but allows all Nexus owners to bypass their carriers, and receive ALL their Android updates directly from Google.