Regulators from the U.S. Federal Trade Commission (FTC) and Federal Communications Commission (FCC) are working jointly to discover more about how mobile device makers are patching security vulnerabilities. And they’ve reached out to device makers big and small to find out more.
“As consumers and businesses turn to mobile broadband to conduct ever more of their daily activities, the safety of their communications and other personal information is directly related to the security of the devices they use,” an FCC announcement notes. “There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device, including ‘Stagefright’ in the Android operating system, which may affect almost 1 billion Android devices globally.”
The agencies have reached out to major players like Apple, Google, and Samsung as well as a host of other mobile device hardware makers such as Blackberry, HTC, LG Electronics. Microsoft, and Motorola Mobility. And they have asked for information about how the firms issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices.
More specifically, the FCC and FTC have asked:
- The factors that hardware makers consider in deciding whether to patch a vulnerability on a particular mobile device
- Detailed data on the specific mobile devices they have offered for sale to consumers since August 2013
- The vulnerabilities that have affected those devices Whether and when the company patched such vulnerabilities.
Obviously, Android is the biggest issue here, as Apple routinely updates its software and cites the success its had getting its users to upgrade in a timely manner. Other firms, like Blackberry and Microsoft, are less of a concern given their small and steadily declining user bases. But since consumers tend to hold on to phones for at least a few years, it’s likely that there are many phones out there with unpatched vulnerabilities.
I am curious that the FCC and FTC are not focusing more on wireless carriers, since it is the carriers that block updates from reaching consumers, especially with Android. Both agencies do mention the carriers in passing, with the FTC noting that it is “conducting a separate, parallel inquiry into common carriers’ policies regarding mobile device security updates.” What it finds will no doubt be horrifying, but this probe could lead to some long-overdue changes.
(The FCC told Bloomberg that it has sent letters to the four biggest U.S. carriers—AT&T, Verizon, T-Mobile, and Sprint—as well as to U.S. Cellular and TracFone Wireless.)
“Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered,” the FCC notes. “To date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices—and that older devices may never be patched.”
You can see an example of the letter sent to the mobile device makers on the FTC web site. Given the specific nature of the questions, it appears that the agencies are ready to formalize and regulate how mobile devices are supported with security updates. This is perhaps overdue.