Feeds

Feds urged to probe four US cell big boys over Android holes

Security threat means 'unfair and deceptive business practices'

High performance access to file storage

Updated The four biggest US cell networks could face a government probe, following allegations that security updates for Android smartphones have been held back, leaving millions of Americans vulnerable to hackers.

The American Civil Liberties Union (ACLU) has formally asked the Federal Trade Commission (FTC) to conduct an investigation and act on what it calls "deceptive and unfair business practices" by the carriers. The ACLU singled out AT&T, Verizon Wireless, Sprint Nextel, and T-Mobile USA, which together own 94 per cent of the US wireless market and have 300 million subscribers.

"A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers," the ACLU stated.

The pressure group added that the telcos have failed to warn customers that their cell phones were vulnerable to hacking, and that other mobiles are available that receive regular and prompt updates – a fact that might persuade customers to switch providers. The unpatched security bugs, left lying around in old versions of Android, can be exploited to take control of the device or snoop on the user.

The ACLU filed an official request for investigation and a complaint for injunctive relief to the FTC this week in Washington DC. The group wants telcos to warn subscribers that their phones are running on out-of-date and insecure versions of Google's Android. They also want carriers to give worried customers the option to ditch their vulnerable handsets by breaking their contracts early.

The paperwork was written by Chris Soghoian – the ACLU's principal technologist and a senior policy analyst within the group's speech, privacy and technology project – and Ben Wizner, the director of the project. You can read the document here (PDF).

Android runs on 68 per cent of the world's smartphones, according to IDC research, but Google admits that fewer than half of those 'droid handsets use the latest version of its mobile operating system. Just two per cent of Android phones use the most up-to-date release of Android, 4.2.x, compared to 44 per cent running Android 2.3.

The ACLU pointed out that the slow rate of adoption of Android 4.2.x is not the fault of users, but of the carriers which are not pushing out software updates for customers' phones.

Unless the smartmobe comes direct from Google, as does the Nexus, the copy of Android it's running can only be updated over the carrier's own network. But, says the ACLU, the carriers are not updating Android. With neither Google nor the carriers acting, 'millions of smartphone users are left in the dark.

The Google Play Store, however, can deliver over-the-air updates to Android-powered gear. Mozilla, Google, and Opera have released updates to the Firefox, Chrome, and Opera browsers via the online software shop.

"To date," the ACLU stated, "the major wireless carriers have failed to warn their customers about known vulnerabilities in the default Android browser, nor informed them about the availability of other web browsers for Android, including Chrome, Firefox and Opera which receive regular security updates."

Responding to the ACLU's allegations, Verizon Wireless told The Register that it "thoroughly" tested every update before delivering it to customers. "We work closely with our OEM partners and provide mandatory updates to devices as quickly as possible, giving attention and priority to ensuring a good and secure customer experience," a spokesman said.

A Sprint Nextel spokesperson told us that the telco "follows industry standard best practices" to protect its customers. A spokesperson for T-Mobile said the company takes security "very seriously, and regularly provides security updates to our customers, including those using the Android operating system."

AT&T gave us a statement attributed to CTIA cybersecurity and technology vice president John Marinho issued on behalf of the whole industry claiming that US wireless networks "are among the most secure in the world."

"CTIA and its members are constantly investing in their networks to guard against cyberattacks. We will continue to work with all interested parties so that U.S. wireless users are able to have the best experience possible," Marinho said.®

This article has been updated with additional comment from AT&T and T-Mobile.

SANS - Survey on application security programs

More from The Register

next story
A black box for your SUITCASE: Now your lost luggage can phone home – quite literally
Breakfast in London, lunch in NYC, and your clothes in Peru
Broadband Secretary of SHEEP sensationally quits Cabinet
Maria Miller finally resigns over expenses row
Skype pimps pro-level broadcast service
Playing Cat and Mouse with the media
EE dismisses DATA-BURNING glitch with Orange Mail app
Bug quietly slurps PAYG credit - yet EE denies it exists
Like Google, Comcast might roll its own mobile voice network
Says anything's possible if regulators approve merger with Time Warner
Turnbull leaves Australia's broadband blackspots in the dark
New Statement of Expectations to NBN Co offers get-out clauses for blackspot builds
Facebook claims 100 MEEELLION active users in India
Who needs China when you've got the next billion in your sights?
Facebook splats in-app chat, whacks brats into crack yakety-yak app
Jibber-jabbering addicts turfed out just as Zuck warned
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.