Feeds

Feds urged to probe four US cell big boys over Android holes

Security threat means 'unfair and deceptive business practices'

Intelligent flash storage arrays

Updated The four biggest US cell networks could face a government probe, following allegations that security updates for Android smartphones have been held back, leaving millions of Americans vulnerable to hackers.

The American Civil Liberties Union (ACLU) has formally asked the Federal Trade Commission (FTC) to conduct an investigation and act on what it calls "deceptive and unfair business practices" by the carriers. The ACLU singled out AT&T, Verizon Wireless, Sprint Nextel, and T-Mobile USA, which together own 94 per cent of the US wireless market and have 300 million subscribers.

"A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers," the ACLU stated.

The pressure group added that the telcos have failed to warn customers that their cell phones were vulnerable to hacking, and that other mobiles are available that receive regular and prompt updates – a fact that might persuade customers to switch providers. The unpatched security bugs, left lying around in old versions of Android, can be exploited to take control of the device or snoop on the user.

The ACLU filed an official request for investigation and a complaint for injunctive relief to the FTC this week in Washington DC. The group wants telcos to warn subscribers that their phones are running on out-of-date and insecure versions of Google's Android. They also want carriers to give worried customers the option to ditch their vulnerable handsets by breaking their contracts early.

The paperwork was written by Chris Soghoian – the ACLU's principal technologist and a senior policy analyst within the group's speech, privacy and technology project – and Ben Wizner, the director of the project. You can read the document here (PDF).

Android runs on 68 per cent of the world's smartphones, according to IDC research, but Google admits that fewer than half of those 'droid handsets use the latest version of its mobile operating system. Just two per cent of Android phones use the most up-to-date release of Android, 4.2.x, compared to 44 per cent running Android 2.3.

The ACLU pointed out that the slow rate of adoption of Android 4.2.x is not the fault of users, but of the carriers which are not pushing out software updates for customers' phones.

Unless the smartmobe comes direct from Google, as does the Nexus, the copy of Android it's running can only be updated over the carrier's own network. But, says the ACLU, the carriers are not updating Android. With neither Google nor the carriers acting, 'millions of smartphone users are left in the dark.

The Google Play Store, however, can deliver over-the-air updates to Android-powered gear. Mozilla, Google, and Opera have released updates to the Firefox, Chrome, and Opera browsers via the online software shop.

"To date," the ACLU stated, "the major wireless carriers have failed to warn their customers about known vulnerabilities in the default Android browser, nor informed them about the availability of other web browsers for Android, including Chrome, Firefox and Opera which receive regular security updates."

Responding to the ACLU's allegations, Verizon Wireless told The Register that it "thoroughly" tested every update before delivering it to customers. "We work closely with our OEM partners and provide mandatory updates to devices as quickly as possible, giving attention and priority to ensuring a good and secure customer experience," a spokesman said.

A Sprint Nextel spokesperson told us that the telco "follows industry standard best practices" to protect its customers. A spokesperson for T-Mobile said the company takes security "very seriously, and regularly provides security updates to our customers, including those using the Android operating system."

AT&T gave us a statement attributed to CTIA cybersecurity and technology vice president John Marinho issued on behalf of the whole industry claiming that US wireless networks "are among the most secure in the world."

"CTIA and its members are constantly investing in their networks to guard against cyberattacks. We will continue to work with all interested parties so that U.S. wireless users are able to have the best experience possible," Marinho said.®

This article has been updated with additional comment from AT&T and T-Mobile.

Security for virtualized datacentres

More from The Register

next story
TEEN RAMPAGE: Kids in iPhone 6 'Will it bend' YouTube 'prank'
iPhones bent in Norwich? As if the place wasn't weird enough
Consumers agree to give up first-born child for free Wi-Fi – survey
This Herod network's ace – but crap reception in bullrushes
Crouching tiger, FAST ASLEEP dragon: Smugglers can't shift iPhone 6s
China's grey market reports 'sluggish' sales of Apple mobe
Sea-Me-We 5 construction starts
New sub cable to go live 2016
New EU digi-commish struggles with concepts of net neutrality
Oettinger all about the infrastructure – but not big on substance
EE coughs to BROKEN data usage metrics BLUNDER that short-changes customers
Carrier apologises for 'inflated' measurements cockup
Comcast: Help, help, FCC. Netflix and pals are EXTORTIONISTS
The others guys are being mean so therefore ... monopoly all good, yeah?
Surprise: if you work from home you need the Internet
Buffer-rage sends Aussies out to experience road rage
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.