Consumer Group Sues Samsung Over Lack of Updates for Smart Phones


In-brief: A consumer group in The Netherlands is suing smart phone giant Samsung over its lax management of the security of its devices – part of the larger fragmentation of the Android ecosystem. 

Much has been written about the slow moving train wreck that is the Android ecosystem. Here at The Security Ledger, we’ve written about it from a number of different angles. The main themes are always the same, however. Namely: that Google’s decision to open source Android without retaining any central control over software updates has spawned a vast, but fragmented population of devices with little or no active management.

From a business perspective, Google’s strategic decision to leave device management to their downstream customers (aka handset makers) has worked. From the perspective of security, it hasn’t. Rather, history has shown that handset makers and their customers (often telecommunications firms) have little incentive to push out operating system updates for populations of millions of Android devices that customers may carry only for months at a time. Instead, the purchase of a new device – what is referred to as “forklift upgrades” in the business sphere –  has become the preferred tool for getting users on the latest version of Android.  Google appears to be OK with this state of affairs, as well, claiming time and again that fragmentation isn’t an important issue.

Android "Marshmallow" (Version 6.0) is the most recent update. As of January, however, "KitKat" (Version 4.4) was the most common version of Android in use.
Android “Marshmallow” (Version 6.0) is the most recent update. As of January, however, “KitKat” (Version 4.4) was the most common version of Android in use.

In the absence of any concerted effort to change that state of affairs, Consumentenbond, a consumers group in The Netherlands is trying a new approach: taking handset maker Samsung to court to try to force the company’s hand on security updates for its phones and tablets. From the Consumentenbond web site (translated from Dutch):

Consumers are not sufficiently informed on the purchase of a Samsung Android device about how long they will receive software updates. The Consumers’ Association claims that Samsung (in) this matter does not provide clear and unambiguous information to customers. Samsung also does not provide sufficient information on critical security holes in its Android phones like Stage Fright.”

The combination of a common, but loosely managed, open source operating system can make Android vulnerabilities particularly potent. A vulnerability in a core Android component in 2013 was estimated to affect some 900 million devices.

In response to the lawsuit, Samsung issued a statement to the web site saying that security is a “top priority” for the company.

“At Samsung, we understand that our success depends on consumers’ trust in us, and the products and services that we provide. That is why we have made a number of commitments in recent months to better inform consumers about the status of security issues, and the measures we are taking to address those issues. Data security is a top priority and we work hard every day to ensure that the devices we sell and the information contained on those devices are is safeguarded.”

Read more here: Lawsuit against Samsung for defective update policy Smartphones | Consumers Association

One Comment

  1. A Regular Reader

    While I know it’s not the security researchers’ faults for the bugs existing, and that we (well, most of us who care about mobile security) all know that Android’s security model is a wreck and won’t be changed, no matter how many bugs are released because it’s how they architected things in the first place (leaving it up to vendors — I’m not even talking about the Nexus devices, which themselves take time to patch (and things do take time to patch), can we at least place some of the onus for the despicable state of Android’s hackability on the people who insist on releasing weaponized exploits for the whole world to use when there’s no way for anybody to patch things themselves (or even demand patches, or do anything about anything)?

    Android is a special case. I’ve never been a fan of ‘full disclosure’ as it’s known, but I feel as though we’re being truly irresponsible, if not criminal, as an industry when those of us who research such topics make especially *remote*, non-auth exploits (eg stagefright, mms, media exploits) available. I’m not saying ‘throw em in jail’ — I’m saying people need to be more responsible and understand that Google isn’t changing anything, it cannot and will not change anything about how it’s doing things, and making it possible for everyone and their 4 year old to hack anybody they want and run rampant over peoples’ lives is irresponsible and despicable.

    I’m not saying we shouldn’t be saying ‘there are vulnerabilities’ — clearly we need to make certain things known — and I’m actually irritated by google’s insistence of locking things down so people can’t even secure themselves without rooting phones — I’m not so much against local roots and I’m in favor of jailbreaking for those who can secure them (or have any chance of securing them) — eg geohot’s work. Especially considering it’s impossible to get out of Google and everyone else’s metadata-grabbing hell without rooting Android (or to even run a proper firewall, for pete’s sake).

    What I’m against is the release of exploits that can be done remotely and then used to pivot to install things for persistence — especially when they’re released by the ‘security community’ — when they have no chance of helping anyone secure anything and only make us all aware that the only way to have a phone is to take out the battery, wipe the baseband, never use it as a phone, and unsolder just about anything worth anything, taking us back to 1995.

    It says a lot when you’re a researcher in the mobile industry who won’t even carry around a non-smart phone (like me). IoT is terrible, but we’re also our own walking, talking IoT’s.

    So yes, it’s good that someone’s out to sue Samsung, but shouldn’t we be putting our energy, time and money into pressuring Google into TRULY opening up the base OS, getting on an opensource baseband (and pressuring vendors to take baseband out of devices/tablets/etc that aren’t even GSM/mobile capable), allowing us to root our own devices without having to ‘root’ them through a process, and instating the sort of update process that any linux/gnu operating system has. I’d also be very much in favor of instituting pax/grsec/any sort of anything that’d help us secure the kernel (but not without giving me root on my own phone, and not preventing other people from getting root from a silent SMS).

    If we REALLY want to make a difference, and we probably have no chance of doing so, we need to get Google to TRULY make Android something ACTUALLY divorced from Google, and firmly ensconced in the open source/linux-derivative community — sort of like maemo, but better. It’s not like we don’t have the people or the smarts to maintain this. xda-developers has enough VERY well-versed, VERY interested members. What we don’t have is Google’s cooperation.

    Pressuring Samsung won’t fix the real problem (not that it’s not something that shouldn’t be done; it by all means should — but due to Google, then we have to ask ‘at what point are they no longer responsible/when’s EOL for devices?’). Samsung’s especially tricky because so much of their UI stuff is proprietary (and with holes of its own). The real problem is Google — and I’m not sure it’s ENTIRELY fair to go after vendors all of the time when Google’s churning out new OS versions and sub-versions every week practically. It’s not 2008, or even 2011. We went from fairly slow update cycles to ones that’d give anyone whiplash. That’s something that ESPECIALLY needs a way to do rolling updates for the UNDERLYING OS at a minimum. Why shouldn’t vendors just have the ability to push their own stuff separately and give us peace of mind and far more security, especially at the kernel and library level?

    If it’s pure greed (make people keep buying new devices) that’d insinuate that the vendors themselves are pressuring Google not to change their release model, and while I wouldn’t discount the possibility of SOME hanky-panky, there are hundreds (or thousands?) of vendors. If there IS hanky-panky, we should know about that too, even if it’s just casual.

    But frankly I don’t care so much about the hanky-panky. I want people to give a damn. Also to stop telling 4th grade script kiddies how to destroy lives (and to stop giving everybody (gov, non-gov) the base tools necessary to spy on everyone, lock anyone’s devices, or do whatever they want. If it can’t be patched immediately, that’s not ‘helping people secure anything’ — it’s selfish, greedy and shameful, and is devoid of anything like ethics. Even giving “google” a chance to upgrade, given the way upgrades work, isn’t “time to respond” — it’s just an excuse. Have some common sense.

    These Samsung users might get what they want (and I hope they do) but ultimately until the architecture issues themselves are resolved, it’s really just false hope, and mostly just bells and whistles (and bloat).

    Apologies for the rant. I’ve been going on about this for years, but instead of improving, it just seems to be getting worse, and nobody’s fighting for the right ‘fixes’. I feel like telling everyone else in my industry to grab a copy of 2003’s “The Security Mind” and start thinking about how things are done from the outset instead of trying to grab bucks later, or grab fame, or grab clients. Not that grabbing clients or money is necessarily bad, but we can do it ethically. And I don’t even know what to call what Google’s doing. Evil?