The U.S. Federal Trade Commission and the Federal Communications Commission on Monday announced a joint investigation into the issue of mobile device security updates.
The FTC issued an order requiring eight mobile device manufacturers — Apple, BlackBerry, Google, HTC America, LG Electronics USA, Microsoft, Motorola Mobility and Samsung Electronics America — to provide information about how they issue security updates to address mobile device vulnerabilities.
The information they must provide includes the following:
- What factors they consider when deciding whether to patch a vulnerability;
- Detailed data on the mobile devices they’ve offered for sale since August 2013;
- The vulnerabilities that have affected those devices; and
- Whether and when they patched the vulnerabilities.
FTC members voted unanimously to issue the order under Section 6(b) of the FTC Act.
It’s part of the commission’s ongoing efforts to understand the security of consumers’ mobile devices, which included a workshop in 2013 and a follow-up public comment period in 2014.
On Monday, Jon Wilkins, the FCC’s Wireless Telecommunications Bureau chief, wrote to wireless carriers asking about their processes for releasing security updates.
His letter is divided into four sections: general questions, questions about the development and release of security updates, consumer-specific questions, and questions specific to the Stagefright Android bug.
The letter was sent to AT&T, Verizon, T-Mobile, U.S. Cellular, Sprint and TracFone, FCC spokesperson Neil Grace said.
“The letters were sent yesterday, so I can’t confirm that we’ve received responses,” he told TechNewsWorld.
Reason for Concern
America’s shift to mobile devices has been speeding up. Meanwhile, vulnerabilities associated with mobile operating systems, including Stagefright — which may affect almost 1 billion Android devices worldwide — are increasing, the FCC said.
NorthBit earlier this year detailed a new version of Stagefright, named “Metaphor,” which affects 30 percent of all Android devices.
Delays in patching vulnerabilities could leave consumers unprotected for long periods, the FCC asserted. OS providers, original equipment manufacturers and mobile service providers have addressed vulnerabilities as they arise, but there are significant delays in delivering patches to devices, and older devices might never get patched.
Carriers may delay updates because they first want to test them for reliability and compatibility with their own software and apps.
“The carriers are saying that maintaining a base of unique software features is more important than the consumer’s safety and security,” said Rob Enderle, principal analyst at the Enderle Group.
“This shouldn’t be an either/or problem, but since they make it that, safety and security should come first,” he told TechNewsWorld.
Nearly 28 million Android devices with medical apps are likely to house high-risk malware, Skycure has found.
Complicating the issue, 26 percent of Android devices worldwide run Android 4.3, released in 2013, or earlier, according to Statista.
Neither OEMs nor OS providers want to update older devices or versions of the OS, partly because of the cost and partly because older devices don’t have the muscle to run new versions of Android.
However, OS suppliers and OEMs want the patches to be applied quickly, Enderle pointed out, and that “could lead to a massive reduction in control by the carriers.”
“Government’s first focus is on their citizens, and right now those citizens are badly exposed as a result of [carriers’] ill-conceived practices,” he said.
That said, “for the FCC to assert regulatory oversight in this area so everybody has to file plans for rolling updates is going to slow things down,” noted Mike Jude, program manager, Stratecast/Frost & Sullivan.
“The vendors will probably take them to court,” he told TechNewsWorld, “because regulatory oversight will increase costs, slow down maintenance of devices, force vendors to support archaic devices, and make the cost of updating unmaintainable.”