Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




67 posts

Master Geek
+1 received by user: 9


Topic # 223637 10-Oct-2017 10:41
Send private message quote this post

Morning all

 

I have a Sony Xperia Z3 mobile phone, less than 3 years old, that no longer gets updates and is therefore vulnerable to BlueBourne.  It appears Sony are not going to provide a security update for this device.  I have contacted the retailer who sold me the phone to find out about a CGA claim.  All I really want is an updated firmware as there is nothing wrong with this phone.  Their response is as follows:

 

"We do not believe at [retailer] that your device vulnerability is covered by the Consumer Guarantees Act as it is the Hardware which we retail and software comes from the manufacturer. The fact the manufacturer, Sony, no longer gives security patch and software updates is because they believe your device to be old technology and it is out of the manufacturer’s warranty of 2 years."

 

"From the website, you gave us it appears all Bluetooth devices are vulnerable to this virus so the only way forward would be, as [..] suggested, not to turn on your Bluetooth or upgrade to a newer device which is able to have security patch and software updates to protect. This upgrade would be at your cost."

 

It would appear to me that the vulnerability is not really understood as they seem to think that it is a virus.  Also seem to think that Bluetooth is software and that an anti-virus should protect me - from phone conversation I had with them.  I think that it is absurd to suggest that I turn off Bluetooth if I don't want to be vulnerable to BlueBourne and think that that is a valid solution to this, as I lose functionality that I use often by turning off Bluetooth (I have turned it off but this shouldn't be the solution).  I shouldn't have to upgrade to a new device every year just to get updates.  This was a premium phone at the time!

 

What is the general consensus here?  Do I have a case for a CGA claim?  If so, how do I go about it?

 

Thanks.


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
1346 posts

Uber Geek
+1 received by user: 820

Trusted
Subscriber

  Reply # 1880258 10-Oct-2017 10:44
5 people support this post
Send private message quote this post

I agree with the retailer not CGA related at all, The phone is still working and doing it's job

 

Linux


1029 posts

Uber Geek
+1 received by user: 707

Subscriber

  Reply # 1880260 10-Oct-2017 10:57
4 people support this post
Send private message quote this post

Given the age of the device and even if there is a security vulnerability, the relatively low chances of one materialising on the user etc, and the sheer commercial realities of having to provide on-going updates (and the well-documented difficulties of actually doing so for Android manufacturers), any retailer or manufacturer will fight this like heck. You can go to the DT and try your luck but apart from the clearest of cases, going to the DT is bit of a coin toss. And this comes from a RL lawyer and person experienced in advising on CGA and statutory compliance issues.

 

Cut your losses.

 

 

 

 


 
 
 
 


6687 posts

Uber Geek
+1 received by user: 3060

Moderator
Trusted
Subscriber

  Reply # 1880264 10-Oct-2017 11:09
Send private message quote this post

Agreed here - I think it is time for a phone upgrade. Your phone has served you well for a reasonable amount of time.





Michael Murphy | https://murfy.nz
Want to be with an epic ISP? Want $20 to join them too? Well, use this link to sign up to BigPipe!
The Router GuideCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial


1185 posts

Uber Geek
+1 received by user: 80


  Reply # 1880265 10-Oct-2017 11:16
Send private message quote this post


67 posts

Master Geek
+1 received by user: 9


  Reply # 1880273 10-Oct-2017 11:55
Send private message quote this post

Ok, not the answers I wanted to hear but I guess I'll have to cut my losses. 

 

Linux:

 

I agree with the retailer not CGA related at all, The phone is still working and doing it's job

 

Linux

 

 

My argument is that disabling a feature on the phone is not the phone working as it should be.  You buy a car with an infotainment feature.  Would your argument be that the car still works so the infotainment feature doesn't need to?

 

Thanks @dejadeadnz.  I'll take that advice and cut my losses - not that I want to.

 

michaelmurfy:

 

Agreed here - I think it is time for a phone upgrade. Your phone has served you well for a reasonable amount of time.

 

 

"reasonable amount of time" is subjective.  Time for an upgrade?  Really?  I don't chase latest models and don't replace "just because".  The device is fine bar the vulnerability that is patched in Android.  Just not for my device.

 

Thanks @MurrayM.  Didn't see that but then it is from 5 years back.

 

 

 

 


1346 posts

Uber Geek
+1 received by user: 820

Trusted
Subscriber

  Reply # 1880274 10-Oct-2017 11:57
Send private message quote this post

If you turn that feature on called ' Bluetooth ' it's still working as designed and still does it's job!

 

My Samsung S8 plus (under 6 months old) still has not got the BlueBourne patch

 

Linux




67 posts

Master Geek
+1 received by user: 9


  Reply # 1880276 10-Oct-2017 12:02
Send private message quote this post

Linux:

 

If you turn that feature on called ' Bluetooth ' it's still working as designed and still does it's job!

 

 

This is the crux of my argument.  That feature is not working as designed.  It has a major flaw in it.  A flaw that exposes the device to a major vulnerability. 


1346 posts

Uber Geek
+1 received by user: 820

Trusted
Subscriber

  Reply # 1880283 10-Oct-2017 12:08
One person supports this post
Send private message quote this post

vyfster:

 

Linux:

 

If you turn that feature on called ' Bluetooth ' it's still working as designed and still does it's job!

 

 

This is the crux of my argument.  That feature is not working as designed.  It has a major flaw in it.  A flaw that exposes the device to a major vulnerability. 

 

 

That flaw has always been there you have not just known about it till it reached the media and you purchased the handset with that flaw but as advised by yourself Bluetooth still works

 

Linux




67 posts

Master Geek
+1 received by user: 9


  Reply # 1880294 10-Oct-2017 12:19
Send private message quote this post

Linux:

 

That flaw has always been there you have not just known about it till it reached the media and you purchased the handset with that flaw but as advised by yourself Bluetooth still works

 

 

I thought the whole point of the CGA was to cater for devices that had defects / flaws in them?  Defects / flaws are usually only found after purchase otherwise they wouldn't be purchased in the first place.

 

I've tried to think of an analogy that gets where my thinking is coming from.  All I can come with ATM is (I don't think it is a particularly good one, but here goes) - if you buy a lock, you would expect only the set of keys that come with that lock to be able to lock / unlock it.  However, after the fact, it comes to light that a certain procedure renders the lock useless in that it can be easily unlocked.  The lock still works "as designed".  You can still use your key to lock / unlock the lock.  It just so happens that others can too.  Do you happily continue using your lock?

 

I guess we'll just have to agree to disagree on this :)


2785 posts

Uber Geek
+1 received by user: 226


  Reply # 1880309 10-Oct-2017 12:32
One person supports this post
Send private message quote this post

I had a similar talk with a colleague here at work.

 

He bought a brand new Mazda 3 about 18 months ago, and one of the nice features of the entertainment system was the built in Pandora support.

 

Now that Pandora is no longer available in NZ he must be able to get a replacement car surely?! :)

 

 







67 posts

Master Geek
+1 received by user: 9


  Reply # 1880319 10-Oct-2017 12:42
Send private message quote this post

CYaBro:

 

I had a similar talk with a colleague here at work.

 

He bought a brand new Mazda 3 about 18 months ago, and one of the nice features of the entertainment system was the built in Pandora support.

 

Now that Pandora is no longer available in NZ he must be able to get a replacement car surely?! :)

 

 

The difference here is that Pandora is a third party / external service.  It has nothing to do with the functioning of the entertainment system - other than integration with an external provider.  So no, no new car expected under this circumstance.  However, if integration with Pandora was such that the entertainment system no longer functioned then I would argue that the software would need to be patched so that it is functional.  

 

I don't believe this to be the same thing as having to switch off a feature of the device in order for the device to be secure.




67 posts

Master Geek
+1 received by user: 9


  Reply # 1880325 10-Oct-2017 12:55
Send private message quote this post

vyfster:

 

CYaBro:

 

I had a similar talk with a colleague here at work.

 

He bought a brand new Mazda 3 about 18 months ago, and one of the nice features of the entertainment system was the built in Pandora support.

 

Now that Pandora is no longer available in NZ he must be able to get a replacement car surely?! :)

 

 

The difference here is that Pandora is a third party / external service.  It has nothing to do with the functioning of the entertainment system - other than integration with an external provider.  So no, no new car expected under this circumstance.  However, if integration with Pandora was such that the entertainment system no longer functioned then I would argue that the software would need to be patched so that it is functional.  

 

I don't believe this to be the same thing as having to switch off a feature of the device in order for the device to be secure.

 

 

Actually lets turn that on it's head.  What if the integration with a third party was done so poorly that when the third party is no longer in business the entertainment center stopped working.  And what if the Mazda said they are not updating it because the 4 year old car is out of it's 3 year warranty.  What would the expectation be then?


405 posts

Ultimate Geek
+1 received by user: 72


  Reply # 1880329 10-Oct-2017 13:05
One person supports this post
Send private message quote this post

vyfster:

 

Linux:

 

That flaw has always been there you have not just known about it till it reached the media and you purchased the handset with that flaw but as advised by yourself Bluetooth still works

 

 

I thought the whole point of the CGA was to cater for devices that had defects / flaws in them?  Defects / flaws are usually only found after purchase otherwise they wouldn't be purchased in the first place.

 

I've tried to think of an analogy that gets where my thinking is coming from.  All I can come with ATM is (I don't think it is a particularly good one, but here goes) - if you buy a lock, you would expect only the set of keys that come with that lock to be able to lock / unlock it.  However, after the fact, it comes to light that a certain procedure renders the lock useless in that it can be easily unlocked.  The lock still works "as designed".  You can still use your key to lock / unlock the lock.  It just so happens that others can too.  Do you happily continue using your lock?

 

I guess we'll just have to agree to disagree on this :)

 

 

You might not continue to use the lock as its not as secure as it once was, but you wouldn't be able to return it to a store using the CGA unless the product guaranteed  it was un pickable/hackable or what ever.

 

 


6687 posts

Uber Geek
+1 received by user: 3060

Moderator
Trusted
Subscriber

  Reply # 1880344 10-Oct-2017 13:45
Send private message quote this post

You've also got to remember there are millions of devices out there vulnerable to something (for example smart TV's) that will not be getting security patches. There are also millions (maybe billions) of phones / devices vulnerable to Bluebourne.

 

Your phone has reached end of life by the manufacturer. You're still however free to flash it with your own custom rom to extend its life (and stay up to date with security patches) if you desire - the Z3 has a good modding community still. A very popular OS distribution is Lineage OS (Link) which will patch the Bluebourne vulnerability in the process.





Michael Murphy | https://murfy.nz
Want to be with an epic ISP? Want $20 to join them too? Well, use this link to sign up to BigPipe!
The Router GuideCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial




67 posts

Master Geek
+1 received by user: 9


  Reply # 1880349 10-Oct-2017 13:52
Send private message quote this post

michaelmurfy:

 

You've also got to remember there are millions of devices out there vulnerable to something (for example smart TV's) that will not be getting security patches. There are also millions (maybe billions) of phones / devices vulnerable to Bluebourne.

 

Your phone has reached end of life by the manufacturer. You're still however free to flash it with your own custom rom to extend its life (and stay up to date with security patches) if you desire - the Z3 has a good modding community still. A very popular OS distribution is Lineage OS (Link) which will patch the Bluebourne vulnerability in the process.

 

 

Awesome, thanks for the link!  I wasn't aware of Lineage.  Will look into it.

 

I think that when it comes to security, manufacturers should be made to be responsible for what they produce.  If not, then best case, everything just becomes another node in a botnet.  At worst, who know what information you lose.  Identity theft, bank account cleaned out, who knows what else.  Maybe I'm just paranoid or maybe I'm not paranoid enough!?


 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Vodafone TV — television in the cloud
Posted 17-Oct-2017 19:29


Nokia 8 review: Classy midrange pure Android phone
Posted 16-Oct-2017 07:27


Why carriers might want to embrace Commerce Commission study, MVNOs
Posted 13-Oct-2017 09:42


Fitbit launches Ionic, its health and fitness smartwatch
Posted 12-Oct-2017 15:52


Xero launches machine learning automation to improve coding accuracy for small businesses
Posted 12-Oct-2017 15:45


Bank of New Zealand uses Intel AI to detect financial crime
Posted 12-Oct-2017 15:39


Sony launches Xperia XZ1, a smartphone with real-time 3D capture
Posted 11-Oct-2017 10:26


Notes on Nokia’s phone comeback
Posted 10-Oct-2017 10:06


Air New Zealand begins Inflight Wi-Fi rollout
Posted 9-Oct-2017 20:16


The latest mobile phones in perspective
Posted 9-Oct-2017 18:34


Review: Acronis True Image 2018 — serious backup
Posted 8-Oct-2017 11:22


Lenovo launches ThinkPad Anniversary Edition 25
Posted 7-Oct-2017 23:16


Less fone, more tech as Vodafone gets brand make-over
Posted 6-Oct-2017 08:16


API Talent Achieves AWS MSP Partner Status
Posted 5-Oct-2017 21:20


Stellar Consulting Group now a Domo Partner
Posted 5-Oct-2017 21:03



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.