Feds urged to probe four US cell big boys over Android holes
Security threat means 'unfair and deceptive business practices'
Updated The four biggest US cell networks could face a government probe, following allegations that security updates for Android smartphones have been held back, leaving millions of Americans vulnerable to hackers.
The American Civil Liberties Union (ACLU) has formally asked the Federal Trade Commission (FTC) to conduct an investigation and act on what it calls "deceptive and unfair business practices" by the carriers. The ACLU singled out AT&T, Verizon Wireless, Sprint Nextel, and T-Mobile USA, which together own 94 per cent of the US wireless market and have 300 million subscribers.
"A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers," the ACLU stated.
The pressure group added that the telcos have failed to warn customers that their cell phones were vulnerable to hacking, and that other mobiles are available that receive regular and prompt updates – a fact that might persuade customers to switch providers. The unpatched security bugs, left lying around in old versions of Android, can be exploited to take control of the device or snoop on the user.
The ACLU filed an official request for investigation and a complaint for injunctive relief to the FTC this week in Washington DC. The group wants telcos to warn subscribers that their phones are running on out-of-date and insecure versions of Google's Android. They also want carriers to give worried customers the option to ditch their vulnerable handsets by breaking their contracts early.
The paperwork was written by Chris Soghoian – the ACLU's principal technologist and a senior policy analyst within the group's speech, privacy and technology project – and Ben Wizner, the director of the project. You can read the document here (PDF).
Android runs on 68 per cent of the world's smartphones, according to IDC research, but Google admits that fewer than half of those 'droid handsets use the latest version of its mobile operating system. Just two per cent of Android phones use the most up-to-date release of Android, 4.2.x, compared to 44 per cent running Android 2.3.
The ACLU pointed out that the slow rate of adoption of Android 4.2.x is not the fault of users, but of the carriers which are not pushing out software updates for customers' phones.
Unless the smartmobe comes direct from Google, as does the Nexus, the copy of Android it's running can only be updated over the carrier's own network. But, says the ACLU, the carriers are not updating Android. With neither Google nor the carriers acting, 'millions of smartphone users are left in the dark.
The Google Play Store, however, can deliver over-the-air updates to Android-powered gear. Mozilla, Google, and Opera have released updates to the Firefox, Chrome, and Opera browsers via the online software shop.
"To date," the ACLU stated, "the major wireless carriers have failed to warn their customers about known vulnerabilities in the default Android browser, nor informed them about the availability of other web browsers for Android, including Chrome, Firefox and Opera which receive regular security updates."
Responding to the ACLU's allegations, Verizon Wireless told The Register that it "thoroughly" tested every update before delivering it to customers. "We work closely with our OEM partners and provide mandatory updates to devices as quickly as possible, giving attention and priority to ensuring a good and secure customer experience," a spokesman said.
A Sprint Nextel spokesperson told us that the telco "follows industry standard best practices" to protect its customers. A spokesperson for T-Mobile said the company takes security "very seriously, and regularly provides security updates to our customers, including those using the Android operating system."
AT&T gave us a statement attributed to CTIA cybersecurity and technology vice president John Marinho issued on behalf of the whole industry claiming that US wireless networks "are among the most secure in the world."
"CTIA and its members are constantly investing in their networks to guard against cyberattacks. We will continue to work with all interested parties so that U.S. wireless users are able to have the best experience possible," Marinho said.®
This article has been updated with additional comment from AT&T and T-Mobile.
Sponsored: Global DDoS threat landscape report