An investigation by consumer watchdog Which? has found that nearly a third of all phones sold on second-hand sites are no longer supported by the vendor, leaving punters at risk of being hacked.
The publication found that 31 per cent of all phones sold via CeX no longer receive security patches. For musicMagpie and SmartFoneStore, those numbers are 20 per cent and 17 per cent respectively.
As a result of the findings, musicMagpie has withdrawn all unsupported units from sale. SmartFoneStore has pledged to warn customers about abandoned mobiles. So far, there’s no word from high-street tech buyer CeX.
It’s not uncommon for smartphone manufacturers to cease providing software updates after just a year. This is most keenly observed in the Android sphere. To Apple’s credit, it continues to support devices as old as the 2015 iPhone 6s.
More than a billion hopelessly vulnerable Android gizmos in the wild that no longer receive security updates – research
Google has tried to address this problem with the Android One programme, which is described as the “gold standard” of the platform. It guarantees three years of updates and two operating system upgrades.
However, it has a significant flaw insofar as it’s entirely voluntary. Moreover, the decentralised nature of Android means that users are largely at the mercy of vendors, who are perversely incentivised to discontinue devices before their natural lifespan. The logic follows that the shorter the lifespan, the sooner the upgrade.
Unfortunately, existing consumer law doesn’t compel vendors to provide patches for a predetermined period of time, as Professor Alan Woodward, a computer science and security specialist at the University of Surrey, lamented.
Woodward told The Reg he thinks it’s necessary for governments to take regulatory action, and it’s looking more likely that they will. Recent advances in “right to repair” law give credence to this. As an alternative, there could be a market solution that sees punters fork out for additional updates beyond the predetermined lifespan of a product, similar to how Microsoft sells extended support for old versions of Windows.
Javvad Malik, security awareness advocate at KnowBe4, argued that the onus is on manufacturers and resellers to ensure punters are aware of the risks of using unsupported kit.
“Manufacturers and retailers need to be transparent with consumers as to how long software updates will be available for. This should explain in clear terms what this means to the consumer in terms of security, and in terms of usability.
“Another approach that is touted is for manufacturers to open-source old code or place code in escrow, so that when the software is no longer officially supported, or the manufacturer goes out of business, someone else can take the code and continue support.”
Regardless of the eventual approach taken, something needs to be done. Speaking to The Register, F-Secure’s Fennel Aurora, a global partner product advocate, said the problem predominantly impacts those on lower incomes.
“Most smartphones on the market are not the high-end all-inclusive models,” he said. “Rather, most people are limited to cheaper models, which in general have a shorter time to programmed obsolescence, have a much shorter software support duration and are more likely to come pre-installed with privacy-invasive applications.”
Liviu Arsene, global cybersecurity researcher at BitDefender, added that those who buy second-hand devices are arguably more motivated by cost, and may lack the technical nous to identify and understand security threats.
“It’s likely that for users who opt for purchasing refurbished devices with end-of-life versions of Android, security might not be a priority,” he said. “These could be affordable devices for less tech-savvy family members that only use basic functions, such as calling and texting, and not for power users looking for productivity features.
“However, unpatched devices are a security and privacy risk for both the owner and other family members. Since Android devices are equipped with sensors like camera, microphone, GPS, and are even used for online shopping, successful compromise could lead to much more than financial data theft, but also potential extortion and surveillance.” ®