Future Tense

Tech Companies, Carriers Should Be Required to Issue Updates to Fix Security Flaws

No, it’s not your imagination: You’re hearing a spate of news about security flaws in the products you use every day. Two big annual hacker conferences are coming up in Las Vegas, and many of the people giving talks there are telling the world now what they’ve uncovered.

As usual, the news is grim, if not just a little terrifying—and it’s especially bad this year if you own a mobile phone using the Google’s Android operating system. The “Stagefright” vulnerability, revealed this week, suggests that a hacker could remotely take control of another person’s phone simply by sending a specially crafted multimedia message, such as a text with a video attached. In other cases the user would have to open the message. (The company that found the flaw, Zimperium, has posted instructions on how to prevent this with some newer phones.)

Naturally, the people who sell Android phones are racing to install software patches that will fix this potentially catastrophic flaw, right? Wrong. There’s a chance—a near-certainty in many cases—that you’ll never get a fix for your phone. Because the companies that sell you phones and service care much more about their bottom lines than your security. The situation has gotten so bad that it’s time to turn to government intervention, much as it pains me to say.

We need a law, with teeth. Sellers of phones and many other connected consumer devices should be required to provide timely security updates for a minimum of three years after a device goes on the market. Regulation should be done with the lightest possible touch, and it should steer clear of interfering with the technology itself. Enforcing such a law would not be simple, to put it mildly. But the current situation has to change.

The Android ecosystem is a freewheeling mess. This is good in many situations, because it spurs innovation and competition. Google, which created the operating system, made it mostly open source—free to download and modify—and gives it away to hardware manufacturers. They modify it before installing it on their phones, most of which are sold by telecommunications carriers such as Verizon, AT&T, Sprint, and T-Mobile. So when Google issues updates to Android, which it does on a regular basis, owners have to wait for the manufacturer and the carrier to a) test the update with their own modified versions of Android, and b) send over-the-air updates to users. If they ever do.

Apple’s iOS devices, of course, are part of a tightly controlled ecosystem, and while Apple is far from perfect on security, it does update iPhones. But we shouldn’t be required to turn over our computing and communications to control-freak companies in order to get necessary security updates.

Now, if you have a Google-branded phone such as a recent Nexus, you’re safer than most, because Google sells them directly and updates them. (I use a phone running an Android variant called Cyanogenmod, which is community-based and gets timely updates.)

If you’re running an older Android phone, however, I have bad news: There’s almost no chance that your device maker and/or carrier will send you an operating system update that repairs the Stagefright vulnerability. This isn’t because they couldn’t. The reality is that once they sold you the phone, anything they have to do to improve it is added cost; they would much rather have you want buy a new one as soon as possible.

When businesses refuse to do what’s necessary to provide customers even minimal safety, government has to step in. This is why regulators sometimes insist that car manufacturers recall their vehicles when flaws emerge.

The tech industry has been given a pass on all of this, in part because software is always a work in progress and is always going to have flaws. But once a flaw is identified, with code ready for updates, the updates should be made available, period.

It’s not just phones where we need this. The home-router industry—companies making the devices that broadcast Wi-Fi signals throughout our homes—is notorious for its lax security practices and diffidence when it comes to fixing known flaws. Meanwhile, the Chrysler hack revealed last week should tell us that Internet-connected cars are, at this stage, an absolutely terrible idea; at least Chrysler is doing a (flawed) recall.

So far, the government has shown absolutely no interest in this issue. An ACLU security expert, Chris Soghoian, filed a complaint with the Federal Trade Commission more than two years ago, asking the consumer-protection agency to require Android updates. He got nowhere.

It’s time for the FTC and others in Washington—hello, Congress—to pay attention. The technology and communications industries have made a deliberate decision to be neglectful with their customers’ security. It’s doesn’t mean government should be derelict, too.