Separate investigations by the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) have been launched into how smartphone makers and wireless service providers handle device security updates for their customers.
Following a resolution adopted by FTC commissioners Friday, the agency is ordering eight mobile device companies to submit information about how and when they decide to issue security patches for vulnerabilities. The companies that must submit responses to those orders within 45 days are Apple, BlackBerry, Google, HTC America, LG Electronics USA, Microsoft, Motorola Mobility and Samsung Electronics America.
Six wireless carriers also have 45 days to respond to FCC questions about their security update policies and procedures for mobile devices. Those companies are AT&T, Sprint, T-Mobile, Tracfone, U.S. Cellular and Verizon.
‘Concerned’ About Patch Delays
The FCC said its investigation was prompted by the “growing number of vulnerabilities associated with mobile operating systems,” including the “Stagefright” bug that could threaten nearly 1 billion Android devices around the world. Identified last year by a researcher at Zimperium zLabs, Stagefright led several companies, including Google, LG and Samsung, to pledge to issue monthly security updates for their mobile devices.
“[W]e appreciate efforts made by operating system providers, original equipment manufacturers, and mobile service providers to respond quickly to address vulnerabilities as they arise,” Jon Wilkins, chief of the FCC’s Wireless Telecommunications Bureau, wrote yesterday in the agency’s letter to wireless carriers. “We are concerned, however, that there are significant delays in delivering patches to actual devices — and that older devices may never be patched.”
In a statement released after the announcements by the FCC and FTC, the CTIA wireless industry trade organization said carriers and partners work together to make customer security a top priority.
“As soon as OS providers and OEMs release security updates that are thoroughly tested, carriers deploy and encourage all customers to take advantage of the updates to protect their devices and personal information from cyberthreats,” John Marinho, CTIA vice president of technology and cybersecurity, said in the statement.
Android in Particular a Problem
In an e-mail, Christopher Budd, global threat communications manager for Trend Micro, told us that his organization believes there has been a problem for years with security patches and updates not getting to vulnerable mobile devices — Android devices in particular — promptly. Android devices account for nearly 62 percent of all mobile devices and tablets in operation, according to the latest statistics from NetMarketShare.
So far this year, Trend Micro researchers have identified 11 Android vulnerabilities, nine of which are considered by Google, which operates Android, to be high or critical security risks, Budd said. Nine of those Android vulnerabilities are also related to the Stagefright bug, he added.
“Unfortunately, while this is a known problem, we haven’t seen the carriers or handset makers take steps to address it,” Budd said. “Hopefully this action will bring more attention to this problem and help educate people that they need to tell their carriers and handset makers they want the same level of security support as Google Nexus users who get security updates directly from Google.”
Image Credit: All phone screenshots via Verizon.