Security gaps in smartphones

Electronics market does not have to point out security gaps and missing updates of the Android operating system

An electronics market does not have to security vulnerabilities and missing updates of the operating system of the of the smartphones it sells. This was the decision of the 6th Civil Higher Regional Court of Cologne and upheld a decision by the decision of the Regional Court of Cologne.

The plaintiff consumer association had carried out test purchases at the defendant electronics store and had the smartphones by experts from the Federal Office for Information Security (BSI). Information Technology (BSI) for security vulnerabilities. One of the devices had 15 of the 28 security vulnerabilities tested, while another had only one, even though it had no security vulnerability. one of the devices had 15 of the 28 vulnerabilities tested, while another had only one vulnerability. the same older version of the Android operating system. was installed at the factory. The background to this is that the operating system is the operating system is adapted to the respective smartphone model by the manufacturer. new versions of the operating system can only be used when the new new version of the operating system has been adapted for the respective model of the smartphone model beforehand.

The BSI came to the conclusion that the device, with its 15 security vulnerabilities, posed a security risk for users. After the BSI had unsuccessfully unsuccessfully to the manufacturer, the plaintiff demanded that the operator of the market to stop selling the devices without pointing out the security security vulnerabilities.

The action for injunctive relief subsequently The Regional Court and the Higher Regional Court of Cologne have dismissed. The 6th Civil Senate of the Higher Regional Court essentially stated in its essentially stated that the requirements for injunctive relief were not met. requirements for a claim for injunctive relief were not met. It for the defendant to obtain the information on security vulnerabilities for each individual information on security vulnerabilities for every single smartphone model it offered. smartphone model offered by the defendant.

It is true that information about the information about the existence of security vulnerabilities is of great consumers' privacy could be violated and the data obtained could be data obtained could be misused for fraudulent purposes. It also had to be taken into account that the defendant could only security gaps could only be determined by tests, which would have to relate to the the respective type of smartphone. It was also not possible to determine all existing security vulnerabilities. All providers of of operating systems would themselves again and again - sometimes only security gaps in the operating system - sometimes only as a result of operating system. Finally, the identifiable security vulnerabilities could change at any time, so that the defendant would have to would have to repeat the tests at regular intervals.

Nothing else applies to the information about the provision of security updates. Whether security updates were model would still be provided, was usually not known to the defendant at the time of usually did not know at the time of the sale. It also had information without the intervention of the manufacturer. obtain this information. The manufacturer alone decides whether and when it will provide a security update for the respective smartphone model. Here too information can change on a daily basis, especially as the manufacturer does not manufacturer does not know whether and when a security update, which could be that could be adapted by the manufacturer will be published.

The Senate did not allow the appeal. The judgment will soon be published in anonymised full text at

Judgment of the Cologne Higher Regional Court of 30.10.2019 - Ref.: 6 U 100/19

Source: Press release of the Cologne Higher Regional Court, Dr. Ingo Werner, Press and Public Relations Officer