The “Stagefright” set of vulnerabilities, which affected almost a billion Android devices, got both the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) interested in how manufacturers update their devices to protect consumers against malware and hacking. The ACLU had already warned them about this issue three years ago.
Stagefright, The Catalyst For The Investigations
Google insisted in the beginning that the Stagefright vulnerabilities that allowed remote code execution weren’t so serious because of various built-in Android protections, but they were later discovered to be inadequate by the company’s own engineers. Google’s anti-malware service may help mitigate the issue to a certain degree, but like any antivirus-like product, it can only protect against vulnerabilities or exploits it already knows about. Therefore such a solution is not a proper long-term fix.
Google also ended up overhauling the mediaserver library for the next version of Android (N) so that it’s split into multiple sandboxed components with less access to system resources. Additionally, it started sanitizing the code to eliminate most integer overflow bugs, which were the main cause for the Stagefright vulnerabilities.
Regardless of these changes, the FCC and FTC have started parallel investigations into the device update problem, that were perhaps long overdue. The FCC sent a letter to the carriers asking about the update process, while the FTC asked eight companies, including Apple, Blackberry, Google, HTC, LG, Microsoft, Motorola, and Samsung, to provide the following information about how their update processes go:
The factors that they consider in deciding whether to patch a vulnerability on a particular mobile deviceDetailed data on the specific mobile devices they have offered for sale to consumers since August 2013The vulnerabilities that have affected those devicesAnd whether and when the company patched such vulnerabilities.
The FCC also had this to say about the whole update problem, which affects especially the Android ecosystem:
“As consumers and businesses turn to mobile broadband to conduct ever more of their daily activities, the safety of their communications and other personal information is directly related to the security of the devices they use. There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device, including 'Stagefright' in the Android operating system, which may affect almost 1 billion Android devices globally. Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. To date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices—and that older devices may never be patched,” said the FCC in its official announcement.
The FCC and the FTC seem to have finally realized that Android's update problem is a big issue for consumers, but only after a security vulnerability impacted one billion devices arrived--a vulnerability that will remain unfixed for most Android users. This might've have been prevented if the FTC would've listened to ACLU's complaint about Android updates three years ago.
"In a 16-page complaint filed with the FTC, we argue that the major wireless carriers have engaged in 'unfair and deceptive business practices' by failing to warn their customers about known, unpatched security flaws in the mobile devices sold by the companies, said Chris Soghoian, Principal Technologist and Senior Policy Analyst at the ACLU, in a post in 2013.
The ACLU also argued that if the carriers aren't going to provide updates, they should at a minimum be forced to refund consumers and allow them to terminate their contracts with no penalty so they can switch to a provider who will offer those updates.
How We Got Here And How To Fix It
Most devices tend to get updates for a short period of time after they are sold, and those updates become even more rare as you move down the pricing ranges.
The problem is that cheaper devices also tend to be used by a larger proportion of the population, which means most people will have devices that are insecure almost from the day they buy them until the end of their lifetime.
The lifetime of the device is also not necessarily the lifetime of a carrier contract, because people either use their devices longer than that or give them to others, which could easily double a typical contract period. However, even updating for the entire lifetime of a contract or the device’s warranty would be a good start for the majority of devices out there.
Samsung was sued earlier this year by the consumer protection watchdog in Netherlands because 82 percent of its devices weren’t receiving any updates in their second year of life, even though all devices have a mandatory warranty of at least two years in the EU. The lawsuit intends to force Samsung, as well as other device manufacturers, to update their products for at least the warranty period, if not longer.
With the arrival of the Internet of Things, which most experts consider a security nightmare, these sort of policies or regulations are only going to become more necessary. Companies shouldn’t sell devices that they can’t patch against malware and hacking for the majority of their lifetimes as they are used by consumers.
This could also give manufacturers the incentive to adopt stronger security by design in their devices and software, as that would mean a smaller support cost over the long run. However, until clear standards are in place for how updates should be delivered, it’s likely that no manufacturer (or few of them) would begin to support all of their devices for much longer, while their competitors can cut corners selling cheaper but less safe devices.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.