Patchy mobile patching process? FCC and FTC begin smartphone security update investigation
Two US federal agencies have announced an official investigation into the security update policies of several of the world’s largest smartphone manufacturers and mobile operators.
The Federal Communications Commission (FCC) and Federal Trade Commission (FTC) each announced they would join forces to “better understand” how the industry issues security updates to address flaws in smartphones, tablets, and other mobile devices.
The FTC said that it has sent a letter to six mobile operators “asking questions about their processes for reviewing and releasing security updates for mobile devices.”
The FCC meanwhile has approached mobile manufacturers, with Apple; Blackberry; Google; HTC America; LG Electronics USA; Microsoft; Motorola Mobility; and Samsung Electronics America all contacted.
All the companies that have been contacted by either body now have to provide a written response within 45 days.
The FCC said it has ordered the above companies to provide information on “the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device.”
Smartphone makers also have to provide “detailed data on the specific mobile devices they have offered for sale to consumers since August 2013; the vulnerabilities that have affected those devices; and whether and when the company patched such vulnerabilities,” it said.
“As consumers and businesses turn to mobile broadband to conduct ever more of their daily activities, the safety of their communications and other personal information is directly related to the security of the devices they use,” said the FCC.
“There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device, including “Stagefright” in the Android operating system, which may affect almost 1 billion Android devices globally.”
Google only provided a patch for Stagefright back in August 2015, months after the flaw was first discovered in April 2015 by security firm Zimperium. It found the flaw could allow an attacker to take control of a device by sending a maliciously crafted video message.
Following that, both Google and Samsung pledged last August they would begin issuing monthly security updates for Android.
But whilst a smartphone manufacturer may issue a security update, there is no guarantee a mobile operator will authorise its distribution to its customer base.
For example, last year researchers from the University of Cambridge claimed many Android smartphones were not being supplied with the proper security protection, as manufacturers fail to provide fixes in a timely fashion.
Are you a security pro? Try our quiz!