On July 21st, Zimperium Mobile Security group dropped word of the most pervasive and threatening Android vulnerability discovered to date: Stagefright. With the ability to remotely execute commands on an Android phone just by sending an MMS media message to an unprotected phone number, Stagefright is a rare exploit offering the entire keys to a user's castle. The fallout over the past few weeks has been swift, with Google moving rapidly to patch the underlying Android system vulnerability and push updates to manufacturers. Problem solved.
Except for the multi-millions of Android owners still using older phones which are no longer supported with regular system updates from their carrier. Currently, there is no plan from major cellphone manufacturers nor the telecom carriers to protect Android owners who still operate older model phones. This protection gap also extends into no-contract cellphone resellers who cannot pass through regular system updates. As such, there are currently a substantial number of Android owners who are not protected from Stagefright and the potential for having personal data monitored and stolen.
Given the severe implications of identity theft, financial loss, or personal embarrassment and endangerment due to the exposure of private information, have we arrived at a point when digital data security must be considered a matter of consumer safety? It is well established that car manufacturers must recall certain models due to defective parts or systems which endangered lives. Therefore, should phone carriers then also be expected to issue phone recalls when a serious security exploit is identified?
There are some past examples of phone carriers issuing recalls for defective batteries or total system faults that render phones inoperable, but no significant instance of a recall for a security related vulnerability. At best, carriers could take the initiative to implement low-cost phone exchange programs with no additional service obligation for users with outdated phones. Meanwhile, phones with current Android versions can largely be patched through ongoing updates. At worst, carriers can continue to place the greater burden of data security onto individuals and abuse emerging security vulnerabilities as a marketing device to drive more purchases of their newer devices. Regardless of how much or little of the cost carriers will assume, the stakes for personal data security will only continue to grow.
Except for the multi-millions of Android owners still using older phones which are no longer supported with regular system updates from their carrier. Currently, there is no plan from major cellphone manufacturers nor the telecom carriers to protect Android owners who still operate older model phones. This protection gap also extends into no-contract cellphone resellers who cannot pass through regular system updates. As such, there are currently a substantial number of Android owners who are not protected from Stagefright and the potential for having personal data monitored and stolen.
Given the severe implications of identity theft, financial loss, or personal embarrassment and endangerment due to the exposure of private information, have we arrived at a point when digital data security must be considered a matter of consumer safety? It is well established that car manufacturers must recall certain models due to defective parts or systems which endangered lives. Therefore, should phone carriers then also be expected to issue phone recalls when a serious security exploit is identified?
There are some past examples of phone carriers issuing recalls for defective batteries or total system faults that render phones inoperable, but no significant instance of a recall for a security related vulnerability. At best, carriers could take the initiative to implement low-cost phone exchange programs with no additional service obligation for users with outdated phones. Meanwhile, phones with current Android versions can largely be patched through ongoing updates. At worst, carriers can continue to place the greater burden of data security onto individuals and abuse emerging security vulnerabilities as a marketing device to drive more purchases of their newer devices. Regardless of how much or little of the cost carriers will assume, the stakes for personal data security will only continue to grow.
Last edited:
