Feeds

Feds urged to probe four US cell big boys over Android holes

Security threat means 'unfair and deceptive business practices'

Best practices for enterprise data

Updated The four biggest US cell networks could face a government probe, following allegations that security updates for Android smartphones have been held back, leaving millions of Americans vulnerable to hackers.

The American Civil Liberties Union (ACLU) has formally asked the Federal Trade Commission (FTC) to conduct an investigation and act on what it calls "deceptive and unfair business practices" by the carriers. The ACLU singled out AT&T, Verizon Wireless, Sprint Nextel, and T-Mobile USA, which together own 94 per cent of the US wireless market and have 300 million subscribers.

"A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers," the ACLU stated.

The pressure group added that the telcos have failed to warn customers that their cell phones were vulnerable to hacking, and that other mobiles are available that receive regular and prompt updates – a fact that might persuade customers to switch providers. The unpatched security bugs, left lying around in old versions of Android, can be exploited to take control of the device or snoop on the user.

The ACLU filed an official request for investigation and a complaint for injunctive relief to the FTC this week in Washington DC. The group wants telcos to warn subscribers that their phones are running on out-of-date and insecure versions of Google's Android. They also want carriers to give worried customers the option to ditch their vulnerable handsets by breaking their contracts early.

The paperwork was written by Chris Soghoian – the ACLU's principal technologist and a senior policy analyst within the group's speech, privacy and technology project – and Ben Wizner, the director of the project. You can read the document here (PDF).

Android runs on 68 per cent of the world's smartphones, according to IDC research, but Google admits that fewer than half of those 'droid handsets use the latest version of its mobile operating system. Just two per cent of Android phones use the most up-to-date release of Android, 4.2.x, compared to 44 per cent running Android 2.3.

The ACLU pointed out that the slow rate of adoption of Android 4.2.x is not the fault of users, but of the carriers which are not pushing out software updates for customers' phones.

Unless the smartmobe comes direct from Google, as does the Nexus, the copy of Android it's running can only be updated over the carrier's own network. But, says the ACLU, the carriers are not updating Android. With neither Google nor the carriers acting, 'millions of smartphone users are left in the dark.

The Google Play Store, however, can deliver over-the-air updates to Android-powered gear. Mozilla, Google, and Opera have released updates to the Firefox, Chrome, and Opera browsers via the online software shop.

"To date," the ACLU stated, "the major wireless carriers have failed to warn their customers about known vulnerabilities in the default Android browser, nor informed them about the availability of other web browsers for Android, including Chrome, Firefox and Opera which receive regular security updates."

Responding to the ACLU's allegations, Verizon Wireless told The Register that it "thoroughly" tested every update before delivering it to customers. "We work closely with our OEM partners and provide mandatory updates to devices as quickly as possible, giving attention and priority to ensuring a good and secure customer experience," a spokesman said.

A Sprint Nextel spokesperson told us that the telco "follows industry standard best practices" to protect its customers. A spokesperson for T-Mobile said the company takes security "very seriously, and regularly provides security updates to our customers, including those using the Android operating system."

AT&T gave us a statement attributed to CTIA cybersecurity and technology vice president John Marinho issued on behalf of the whole industry claiming that US wireless networks "are among the most secure in the world."

"CTIA and its members are constantly investing in their networks to guard against cyberattacks. We will continue to work with all interested parties so that U.S. wireless users are able to have the best experience possible," Marinho said.®

This article has been updated with additional comment from AT&T and T-Mobile.

Recommendations for simplifying OS migration

More from The Register

next story
Trying to sell your house? It'd better have KILLER mobile coverage
More NB than transport links to next-gen buyers - study
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Scotland's BIG question: Will independence cost me my broadband?
They can take our lives, but they'll never take our SPECTRUM
NBN Co adds apartments to FTTP rollout
Commercial trial locations to go live in September
Samsung Z Tizen OS mobe is post-phoned – this time for good?
Russian launch for Sammy's non-droid knocked back
Speak your brains on SIGNAL-FREE mobile comms
Readers chat to the pair who flog the tech
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?