mjensen.org

Breaking up with Ting

Mobile phone security is important

;tldr

After 6 years of being with Ting, I’m changing providers. Ting used to care about me, now they don’t. I’m sorry Ting, we need to part ways. It’s not me, it’s you. You’ve changed and I don’t want you to hurt me so I’m leaving.

Make sure your devices are up to date. If you have a phone that isn’t receiving updates anymore, it’s time to get a different one that does.


August 14, 2020

What happened?

I’ve had a support ticket opened with Ting for almost 2 months and a lot of back-and-forth without any reasonable resolution, so I thought it would be best to write up this summary of what has happened. The root of the issue is that I purchased an LG Stylo 5 from Ting which hasn’t received OS updates since October 2019. There have been some major vulnerabilities found and fixed in Android OS since then. I have been a long-time customer of Ting, since 2014. My various interactions with support over that timeframe have been good, involving capable support agents and quick resolutions to issues. I have been vocal with family/friends about how awesome Ting was.

Background

Mobile phones have a treasure trove of personal data on them. The data on a phone would make identity theft of the victim an easy task. We’re always told that one of the basic protection measures we must take is to keep our software and devices up to date.

The typical support lifecycle of phones by manufacturers is 3 years from the time of release. (Apple is an exception, often supporting phones for 5-6 years after release.) One critical part of that support lifecycle is security updates. The LG Stylo 5 was released around August 2019.

Android OS security updates are released on a monthly basis and seem to include a significant security fix every few months. Between October 2019 and July 2020, those Android updates fixed 131 High and 24 Critical vulnerabilities. I have not counted the fixes included for August 2020.

The LG Stylo 5

Android updates are controlled by the phone service provider. It is typical for them to send out an OTA update to supported phones every 1-3 months, though some do it every month with the new Android OS updates.

After contacting LG directly, they looked up my phone by IMEI and said that the provider of my phone (which I purchased from Ting) is Competitive Carriers Association (CCA)

I suppose that Ting got these phones for a great price from CCA. Ting was selling these phones through their store at least between December 2019 and June 2020. They coincidentally disappeared from the store after I tweeted about Ting selling vulnerable phones.

Putting personal data at risk

These vulnerabilities from this phone not being updated put my personal data at risk. I purchased this phone specifically because it was a reasonable price and could be expected to get security updates through August 2022. As a result of these updates not going out to this phone, I’ve had to shelve it. It will sit unused unless updates start getting pushed out to it on a regular basis.

Acceptable solutions

The ideal solution would be for CCA to start pushing out regular OTA updates. I’m not sure if Ting has the influence to pressure them to do so.

A less desireable alternative would be for Ting to compensate me for the vulnerable phone they sold me or replace it with a comparable model that does receive proper updates.

Ting’s “solution”

  • “… the device is operating as expected.”
  • We can’t offer any refunds 30 days after the date of purchase.

In summary

I used to feel like Ting cared about its customers. This blatant disregard for protecting the personal data of their customers has changed my mind.

I’m not sure if this is a cultural change at Ting or not. I can only assume that it indicates a shift in their attitude toward customers. As a result, I can no longer recommend that people switch to Ting. My suggestion would be that if you’re using Ting currently, you should consider another phone provider. If you’ve purchased devices from Ting, verify that they’re receiving updates. If they’re not, you’re putting your personal data at risk. Actually, that goes for any device you’ve purchased anywhere.

I am not a lawyer, nor do I have litigious tendencies, but this kind of stinks of a class-action lawsuit waiting to happen. I know I’m not the only one that bought this model of phone from them and it wouldn’t surprise me if they’ve sold other models from CCA which suffer from the same lack of expected OS updates.

I prefer to just share my experience to warn others and vote with my feet.

Original here: https://gist.github.com/michaeljensen/