Are IT security vulnerabilities a defect?
Dear Sir or Madam,
around eight months ago, I bought a new smartphone from a major electronics retailer. The device features a processor of type "Snapdragon 430". Earlier this month, the processor manufacturer Qualcomm admitted that the WLAN modem of the processor (and several similar ones) has a serious security vulnerability that allows attackers to take control of the entire device (see also https://www.qualcomm.com/company/product-security/bulletins, https://www.theregister.co.uk/2019/08/06/qualcomm_android_security_patches/). The German Federal Office for Information Security (BSI) warns (https://www.cert-bund.de/advisoryshort/CB-K19-0689) against using affected devices.
So I cannot use my smartphone with WLAN now; and I am not even sure that simply turning off WLAN adequately mitigates the security vulnerability. If an attacker can gain full access to the device, all stored passwords are compromised as well.
An update for the Android operating system itself has been available for about a week. However, the manufacturer of my smartphone has not provided an update for the model I am using - the last "major" Android update for my smartphone is five months old.
Therefore, I contacted the retailer (the electronics store). In my opinion, this is a clear error that existed at the time of delivery. The error significantly limits my use and jeopardizes the security and confidentiality of my communication (and that of others). I have therefore asked the retailer to rectify the defect, for example by providing an update.
In response, the retailer wrote to me: "A subsequently discovered security vulnerability in the Android operating system is not a defect covered by statutory warranty." This assessment surprises me: The smartphone is obviously not suitable for the usual use of smartphones (namely, besides making calls, also surfing the internet, including via WLAN), as the device was also advertised.
Does the argumentation of the electronics retailer follow the usual doctrine in this matter? Are there comparable cases where a customer has successfully compelled a retailer to rectify the situation (or, since the manufacturer apparently does not want to rectify, probably more likely to cancel the purchase agreement)? Do I have a realistic chance of insisting on rectification?
