everythingpossible - stock.adobe

Half of mobile phones sold in the UK at risk of security issues

Lengthy mobile phone contracts leave buyers at risk of their devices losing support for security updates

Up to half of UK consumers buying new mobile devices, whether direct from their network provider, the device manufacturer, or through a third-party retailer, could be putting themselves at risk of security issues and cyber attacks, according to an investigation by Which?.

The consumer rights organisation said the short shelf life of mobile devices, coupled with the length of service contracts, meant that roughly 48% of devices currently on the market could become obsolete or reach end-of-life and lose security support before the airtime contract period ends, leaving their owners at risk of compromise.

“Mobile phones without the latest security support could leave consumers vulnerable to hackers, so it is important that manufacturers supply these defences for longer and that retailers are clearer with people about the risks posed by phones that will not receive vital updates for the duration of contracts,” said Which? computing editor Kate Bevan.

“The government’s Product Security Bill needs to ensure that manufacturers state the date a device will be supported until – and that this information is clearly displayed on retailers’ websites. Devices need to be supported for five years minimum across all manufacturers so that consumers are better protected.”

The investigation found that due to the fact its contracts can last up to 36 months, O2 was guilty of knowingly selling the most devices at risk of losing security support, with 73% of new O2 phones potentially unsupported at the end of a three-year contract and 21% potentially unsupported within a year.

“Mobile phones without the latest security support could leave consumers vulnerable to hackers, so it is important that manufacturers supply these defences for longer and that retailers are clearer about the risks posed by phones that will not receive vital updates for the duration of contracts”
Kate Bevan, Which?

Additionally, 53% of devices sold at Carphone Warehouse, 50% at Mobiles.co.uk, 50% at Vodafone, 40% at Three, 38% at Mobile Phones Direct and 33% at EE were at risk.

Popular handsets due to run out of support in the next 12 months include the Motorola G8 Power, available through Mobiles.co.uk and Vodafone; the Oppo Find X2 Lite, available through Mobile Phones Direct, Mobiles.co.uk, EE, O2 and Vodafone; and the Samsung Galaxy S9, available through Vodafone. Note the Galaxy S9 recently lost its Which? Best Buy badge because it is nearing the end of support.

Crucially, said Which?, all the above listed devices were still available, with no indication to buyers that they will soon be at risk. The organisation said a lack of transparency around security patches was a big part of the problem. It also found that 40% of smartphone owners thought that if they bought a phone on contract it would continue to receive updates for the lifetime of the contract, which is not necessarily the case, and 69% said they would be worried if their device did not receive updates, so there is clearly support for change.

Which? said it was unacceptable that some mobile brands were only providing two years of security support, and is now calling for a legally mandated five-year support period. It added that increasing support would not only protect consumers from cyber attacks, but would also have a positive environmental impact, with fewer devices being discarded earlier than they need to be.

Going forward, it will now remove its Best Buy recommendations from all devices with less than a year of support remaining, and is urging manufacturers, retailers and networks to be more upfront about their support policies. In the meantime, consumers can use Which?’s free support calculator to find out whether or not their devices are still being supported or not.

A spokesperson for O2, which fared worst in the rankings, said: “Manufacturers set the security patch lifespan of their devices, covering around three to four years for newer models. O2 customers can choose tariffs up to three years in length with our O2 Refresh plans, customisable between three and 36 months.

“We are proud to have led the industry here, as by splitting airtime and device costs customers have true flexibility over how they pay for their mobile phone. However, customer security is an absolute priority, so should manufacturers advise that one-off security updates are required outside of their set lifespan, we would work closely with them to ensure customers receive the updates needed.”

A Three spokesperson said: “Software updates are managed by device manufacturers and Three customers are provided with the updates for as long as the manufacturers release them.”

A Vodafone spokesperson added: “Vodafone works closely with its suppliers to ensure that the devices it provides to customers are supported with OS [operating system] and security updates. Though there may be some variance to the lifecycle support duration depending on the device and its manufacturer, in practice this support generally extends beyond the timeframe you reference. In general, the length of support has become longer over the years.”

EE, although it engaged with Which? on its findings, declined to take advantage of a right to reply. Note that EE, Three and Vodafone all disputed elements of Which?’s analysis, specifically the inclusion of some of the device models examined. However, Which? maintains that these devices could be out of support before the end of currently available contracts.

Retailer Dixons Carphone – which owns both Carphone Warehouse and Mobiles.co.uk, said it would continue to sell devices further along the product lifecycle to keep options affordable, but that it would welcome the provision of clearer communications around security update policies to keep customers informed.

Mobile Phones Direct said it would continue to work closely with manufacturers to keep consumers informed of the need to adopt software patches throughout the product’s life.

Of the device manufacturers examined, Motorola said that while devices could clearly not be upgraded infinitely, it provides security updates in line with industry standards and is working with Google to keep expanding the number of features that are updatable via the Play Store, meaning that some essential features can be patched and upgraded more easily and for longer.

Samsung directed users to its security update information website, and Oppo declined to engage.

Read more about mobile security

  • Organisations can’t deploy mobile devices without accounting for their security. IT admins should follow these seven best practices to manage mobile device and data security.
  • A well-defined mobile device security policy that educates employees on the proper use of BYODs can help seal off vulnerabilities in corporate networks and bolster threat defence.

Read more on Endpoint security