ACLU Seeks Carrier Smackdown Over Android Updates

Facebook Home Invasion

Are mobile phone carriers putting subscribers at risk by failing to update their Android mobile devices in a timely manner?

That question is at the heart of a complaint filed Tuesday by the American Civil Liberties Union (ACLU) with the Federal Trade Commission, requesting that the agency investigate the country's four major wireless carriers.

The ACLU also seeks a "request for relief" for consumers, and proposed allowing any consumer using a carrier-supplied mobile device running Android that doesn't receive regular security updates to return the device in favor of one "from Apple, Google, Microsoft or another mobile operating system vendor" that issues regular updates directly to device users. Alternatively, said the ACLU, consumers using devices that aren't regularly updated should be allowed to return their device, within two years, for a full refund.

[ Are flyers safe? Read FAA Dismisses Android App Airplane Takeover. ]

"A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers’ smartphones by the wireless carriers and their handset manufacturer partners," said the complaint, coauthored by the ACLU's Speech, Privacy & Technology Project principal technologist and senior policy analyst Christopher Soghoian and director Ben Wizner.

Failure to update modern smartphones in a timely manner puts millions of consumers at risk of having their personal data stolen or communications intercepted. "Android smartphones that do not receive regular, prompt security updates are defective and unreasonably dangerous," wrote Soghoian and Wizner.

To date, however, there's been little consumers can do about it. "In spite of the fact that their devices are vulnerable ... consumers remain locked into their wireless service contracts, which are enforced by prorated early termination fees," they said. By forcing consumers to choose between being penalized for breaking a contract, versus using a smartphone that's reasonable secure, carriers are perpetrating an "unfair business practice," they said.

The four carriers named in the ACLU's complaint are AT&T, Sprint Nextel, T-Mobile USA and Verizon Wireless.

Asked via email to respond to the ACLU's allegations and to provide a list of all Android devices they currently sell -- as well as a timeline of all operating system and security updates released for those devices -- Sprint responded with the following statement: "Sprint follows industry-standard best practices designed to protect its customers."

T-Mobile USA spokesman Glenn Zaccara said via email that "T-Mobile takes security very seriously, and regularly provides security updates to our customers, including those using the Android operating system."

AT&T and Verizon Wireless did not immediately respond to the same emailed request. But Verizon told Ars Technica that it works to provide "mandatory updates" for consumers. "We are known for our rigorous testing protocols which lead the wireless industry, and we thoroughly test every update before delivering it to customers," said Verizon. "We work closely with our OEM partners and provide mandatory updates to devices as quickly as possible, giving attention and priority to ensuring a good and secure customer experience."

This isn't the first time that criticism has been leveled at some Android smartphone manufacturers and carriers for their failure to update some devices in a timely manner, if ever. For example, Harry Sverdlove, CTO of Bit9, released a report in November 2011 assessing the security of the top 20 Android smartphones then on the market, and found that on average, carriers treated a device as being "end of lifed" -- meaning it no longer received support or updates -- after just one year, despite the majority of consumers having signed two-year contracts.

Sverdlove also found that some carriers and manufacturers took months after Google released an Android operating system update to distribute it to their subscribers. For example, Samsung took 316 days to patch its Galaxy Mini, while Motorola's fastest update was 141 days, for the Droid X.

Sverdlove's research was complicated by manufacturers occasionally releasing updates and then withdrawing them without warning due to instability issues. In other cases, carriers and manufacturers would make updates available to users, but require them to jump through hoops to install the software fix; for example, by having to manually root their phone first.

"As a security professional, it's the most chaotic thing I've ever seen," said Sverdlove at the time.

Updates for Android devices can be slowed by manufacturers and carriers adding their own overlays -- aka skins or enhancements -- and tools to the core Android operating system. In some cases, these additions amount to little more than bloatware, and in worst-case scenarios can introduce new security vulnerabilities.

In the wake of a zero-day vulnerability being exploited by multiple active attacks, IT teams wait for Oracle to respond. Again. Here's how to keep your systems safe. Get our Insecurity With Java report today. (Free registration required.)