German Electronics Store Sued for Selling Un-Patchable Android Phones

In-brief: That’ll be $99, or $150 without the vulnerabilities! A lawsuit in Germany is trying to force stores to come clean about security holes in the products they sell to consumers. 

‘That’ll be $99, or $150 without the unpatchable mobile operating system vulnerabilities!’

That line may be more common if a case against the German electronics store, Media Merkt is successful. The store is being sued by a consumer advocacy group for selling the public Android smart phones containing 15 security vulnerabilities that cannot be patched.

As reported by Süddeutsche Zeitung this week, a Cologne based electronics outlet, Media Markt, faces a lawsuit from the group Verbraucherzentrale NRW (Consumer Central for Nordheim Westfalen) for selling Android phones with known and un-patchable security holes, without properly informing consumers of their existence or the risks they pose to security and privacy.

According to the article, the Media Markt store in Cologne sold a smart phone from the Korean firm Mobistel in August, 2016, for €99 that had 15 “unresolved security gaps” according to the German Federal Office for Information Security (BSI). At the time, the phone was running Google’s Android operating system, but the KitKat (Version 4.4) which was released in 2013 and is the oldest version of the operating system that is still supported. (The latest version of Android, 7.0 (aka “Nougat”) was released in August, 2016.) Consumer Center is alleging in its suit that the store had an obligation to inform consumers of this “essential piece of information” prior to their purchase of the phone, but failed to.

The case, which was filed against a single Media Markt outlet, is in its early stages. It follows an analysis of the Mobistel phone by the BSI that identified the vulnerabilities. Though the company was informed of them by the BSI, no changes were made and vulnerable devices continued to be sold to the public.

One of the biggest challenges facing security and privacy advocates is how to compel device makers – especially low-cost device makers – to make security a priority. Mobile phones that use the Android operating system are frequently left unsupported by handset makers or by the stores and (in the U.S.) telecommunications firms that resell those phones.  A study, “Security Metrics for the Android Ecosystem,” (PDF) by Alastair Beresford at the University of Cambridge found that there was “significant variability in the timely delivery of security updates across different device manufacturers and network operators” in getting software updates out to Android users. The result: an average of 88% of Android devices are “exposed to at least one of 11 known critical vulnerabilities,” Beresford found.

That is becoming an issue as Android malware and other threats are becoming more prevalent.

There is evidence that Google is pivoting from its open source, “let a thousand flowers bloom” approach to Android – at least insofar as Internet of Things devices are concerned. But, more broadly, there is no way to force makers of low-cost devices to support those devices in the field long after they are deployed consumer protections that are focused on device safety and performance have generally not expanded to include information about cyber security vulnerabilities in products.  Recent incidents like the Mirai botnet have highlighted the larger  problem of unpatched or insecure devices like IP enabled cameras and digital video recorders (DVRs), which are then prey for cyber criminals and other malicious actors.

In the U.S. there are a number of efforts underway to better inform consumers about cyber security risks and quality. In March, for example, Consumer Reports, the U.S. based consumer product rating firm, released what it is calling a draft privacy and security standard for connected devices that will encourage device makers to produce secure products and to act ethically.

The Digital Standard, as Consumer Reports has dubbed it, is a response to numerous hacks of vehicles, IP enabled home surveillance cameras and calls on manufacturers to conduct security tests of their products, ensure the privacy and security of customer data, allow product owners to repair and tinker with their products and act ethically. The guidelines are just the latest in a string of similar announcements from both private and public sector organizations. Similarly, Pieter Zatko (aka “Mudge”) and his wife launched the Cyber Independent Testing Lab in August of last year to rate and compare the security of various applications such as web browsers, applications, and antivirus products based on  how hardened they are against attack.

The European Commission (EC) is reportedly considering legislation to protect machines from cybersecurity breaches. Among the steps they’re considering: labels for Internet-connected devices that tell consumers they are “approved and secure.”

Security Ledger wants to hear your thoughts! Leave a reply.