clock menu more-arrow no yes

Filed under:

The FCC and FTC are investigating how companies release mobile security patches

New, 41 comments

The Federal Communications Commission today announced an inquiry into mobile device security in partnership with the Federal Trade Commission. The inquiry is centered on how phone makers review and release security updates, and the FCC has sent a letter to mobile carriers — including AT&T, Sprint, and Verizon — asking questions about that process. As part of the investigation, the FTC has also asked eight mobile manufacturers to inform the agencies about the state of smartphone and tablet vulnerabilities and the process for patching them.

This isn't the first time the FCC has honed in on smartphone security. The agency released an "online security checker" in 2012 for consumers to get tips to improve security based on their mobile OS. In a press release, the FCC says, "There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device."

The FCC is worried about OS-wide bugs like Android's Stagefright

The FCC mentions one such bug, called Stagefright, that was discovered first in July and allows attackers to target Android phones via text message. Because nearly every Android phone contains some process for previewing links or files sent via text or MMS, more than 1 billion users are potentially vulnerable. Even after several patches from all parties in the mobile phone business, the bug continues to be exploited in unique ways. Google released an Android update in November patching a number of vulnerabilities, including Stagefright-related ones, but it's unclear when every handset will receive it.

That lack of consistency worries both the FCC and FTC. The release lays out the main concerns for how these patches are handled both by OS makers like Google, phone makers like LG, and carriers like AT&T:

Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. To date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices—and that older devices may never be patched.