Slashdot Mirror

← Back to Stories (view on slashdot.org)

ACLU Asks FTC To Force Carriers To 'Patch Or Replace' Android Devices

Posted by Soulskill on from the going-a-bit-far dept.

chicksdaddy writes "The American Civil Liberties Union filed a complaint with the U.S. Federal Trade Commission on Wednesday calling on the federal government to take action to stem an epidemic of unpatched and insecure Android mobile devices – declaring the sea of unpatched and vulnerable phones and tablets 'defective and unreasonably dangerous.' The civil liberties group's complaint for injunctive relief with the FTC (PDF), notes that 'major wireless carriers have sold millions of Android smartphones to consumers' but that 'the vast majority of these devices rarely receive software security updates.' The ACLU says carriers leave their customers vulnerable to malware and spear phishing attacks that can be used to record or transmit information on the device to' third parties. 'A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers' smartphones by the wireless carriers and their handset manufacturer partners,' the ACLU said. Android devices now account for close to 70 percent of new mobile devices sold. The porous security of many of those devices has become a topic of concern. The latest data from Google highlights the challenge facing the company, with just over 25% of Android users running versions 4.1 or 4.2 – the latest versions of the OS, dubbed 'Jelly Bean,' more than six months after its release. In contrast, 40% of Android users are still running the 'Gingerbread' release – versions 2.3.3 through 2.3.7, a two year-old version of the operating system that has known security vulnerabilities."

13 of 318 comments (clear)

  1. Not Owning Your Hardware... by Anonymous Coward · · Score: 5, Informative

    I think this shows one of the greatest flaws in the not owning your hardware debate. What happens when you the company that owns it simply gives up on support??? You're left holding the bag but can't change it's content.

    1. Re:Not Owning Your Hardware... by hairyfeet · · Score: 4, Insightful

      Actually I'd say its more about how the corps are trying to treat durable goods as disposable goods. I mean some of these phones are anything but cheap yet by the way these OEMs just abandon the things you'd think they cost the same as those cheapo flash stick you see at checkout lines. If the rumors of Windows Blue are true even MSFT will be getting in on the act, with a new version of Windows being put out every year. If this happens you'll see $1500 laptops treated like $50 tablets because "Your laptop only has drivers for Windows 10 and we are now on Windows 12, go buy a new one".

      So what I think needs to be done is minimum support times need to be written in stone, say a minimum of 5 years of updates from time of sale and any company that refuses to honor the support time should be forced to open up the device and hand over the driver code so another OS can be loaded that is patched.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  2. Re:But We Are Open - We are Google - We are Good by ddtmm · · Score: 5, Informative

    I think you missed the point. Google has published the patches but the carriers have not distributed them.

  3. Re:But We Are Open - We are Google - We are Good by Dancindan84 · · Score: 5, Informative

    'A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers'

    Highlighted the important part from TFS. Google's released patches. Carriers are refusing to give them to their customers. There's nothing Google can do about that. Hence why the ACLU is lobbying the FTC to force the carriers into action.

    --
    "Always forgive your enemies; nothing annoys them so much." - Oscar Wilde
  4. Bloatware by yesterdaystomorrow · · Score: 4, Insightful

    Much of the trouble is that the carriers load the phones with worthless bloatware, and block the user's ability to remove it. There's then not enough free space to install updates.

  5. Re:No law is needed by najay · · Score: 5, Interesting

    I own a Motorola Atrix 4G. It is an excellent smartphone platform. It has been abandoned
    by Motorola even though the phone can easily run ICS and Jellybean. We Atrix 4G users
    may never see an official update, on a phone they originally PROMISED to update.

    Sad thing is Motorola Mobility is now owned by Google. Go Figure.

  6. About time! by onyxruby · · Score: 4, Insightful

    About bloody time that someone does this. It is absolutely indefensible that the carriers have refused to release patches for known security holes for extended periods of time if they release them at all. This blatantly leaves their customers vulnerable and their customers have no way of circumventing this short of rooting their phones.

    I read the article before it appeared on Slashdot and many of these phone will literally never receive any patches from the carrier. These phones are effectively being sold as known defective devices and I hope someone initiates a class action lawsuit on the matter as I can't think of any other way to fix this issue. Patch Management really should not be an afterthought and it affects every device, every operating system and unfortunately there are still legions of idiots out there equate Patch Management with Microsoft Windows patch Tuesday.

    That it would require a lawsuit in order to patch your phone and secure it against a known vulnerability say much about about the state of American cell phone industry. This country desperately needs to adopt the standards used by the rest of the world and it's a point of shame that we have the industry we do. Most Americans don't know how bad things are here because they never go abroad, and once they do it's like walking into a candy store for the first time with "you can do that?", again and again.

  7. Re:Not surprised ... by h4rr4r · · Score: 4, Insightful

    Why did you buy a carrier phone?
    Why not get a device that might actually get updates?

    You voted for this system with your purchase, you are part of why it exists.

  8. Re:And in other news ... by Lunix+Nutcase · · Score: 4, Insightful

    No, the difference is that no one is blocking anyone from getting the XP updates that Microsoft releases. This isn't about Google no longer supplying updates to old Android versions, it's about carriers blocking users from getting updates.

  9. Re:android lol by greentshirt · · Score: 4, Funny

    Very true. My old communications device was the most secure and I've yet to find something that rivals it. It was impossible to spoof, clone, or manipulate and all my data was secure. Sure it was hard to make long-distance calls, because finding large spools of string is difficult, but the fidelity of those tin cans was soooo pure. Plus, they never got any malware, not even once.

  10. Re:sounds like the market has spoken by Coren22 · · Score: 4, Insightful

    From TFS:

    'A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google

    They did release patches, the carriers are blocking them, therefore, ACLU is suing to get the carriers to stop being jerks.

    --
    APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  11. Re:Can't release source? Keep providing updates by hairyfeet · · Score: 4, Interesting

    I would say 5 years for any device that costs $500 or less, 7 years for any device that costs between $500-$800, and 10 years for any device that costs $1000 and above.

    They should also be forced to put the driver code in escrow which must be provided by the hardware manufacturer so if they refuse to update and patch that code can be handed out so a different OS can support it. That way if a company wants to keep it proprietary? fine then YOU have to provide patches and updates. Don't want to do that? Then you hand out the code so somebody else can. Sounds pretty straightforward to me.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  12. Re:android lol by sessamoid · · Score: 5, Funny

    Very true. My old communications device was the most secure and I've yet to find something that rivals it. It was impossible to spoof, clone, or manipulate and all my data was secure. Sure it was hard to make long-distance calls, because finding large spools of string is difficult, but the fidelity of those tin cans was soooo pure. Plus, they never got any malware, not even once.

    Unfortunately, you're very vulnerable to a can-in-the-middle attack.

    --
    "No, no, no. Don't tug on that. You never know what it might be attached to."