The spotty way that mobile devices and mobile operating systems receive security updates from device vendors and mobile carriers today is about to get the attention of the FCC and the FTC.
The two federal agencies announced separately on May 9 that they are beginning reviews into how security updates are made at the carrier and device maker levels so they can determine if regulations need to be created to better protect consumers and business users from security threats and vulnerabilities that can take advantage of old, unpatched computer code.
To investigate the complex security update environment, the Federal Trade Commission issued orders to eight mobile device makers—Apple; Blackberry; Google; HTC America; LG Electronics USA; Microsoft; Motorola Mobility and Samsung Electronics America—”requiring them to provide the agency with information about how they issue security updates to address vulnerabilities in smartphones, tablets and other mobile devices.”
The companies must provide details about “the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device,” as well as “detailed data on the specific mobile devices they have offered for sale to consumers since August 2013.” Also required is information on all security vulnerabilities that have affected those devices and details about whether and when the company patched such vulnerabilities.
In a separate action, the Federal Communications Commission’s Wireless Bureau joined the FTC’s inquiry and sent out its own letters to mobile carriers asking about how they review and release security updates for mobile devices that they sell, according to the agency. The big four carriers—AT&T, Sprint, T-Mobile and Verizon—are among the companies receiving the FCC letters.
The requests from both agencies include security update details on devices such as smartphones, tablets and mobile computers. The security update reviews are being conducted because, as more people use mobile broadband services for work and leisure, “the safety of their communications and other personal information is directly related to the security of the devices they use,” the FCC said in a statement. “There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device, including ‘Stagefright’ in the Android operating system, which may affect almost 1 billion Android devices globally.”
That can leave consumers unprotected from attacks if their devices are not patched routinely, and therein lies the problem, the agency said. “To date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices—and that [can mean that] older devices may never be patched.”
Justin Brookman, a spokesman for the FTC’s Bureau of Consumer Protection, told eWEEK that the agencies want to get answers to many questions surrounding these issues and then will analyze those answers before deciding if any regulatory actions are needed in the future.
“The first matter is about getting a sense of how this all works” from the manufacturers and carriers, he said. “We will be doing information gathering and are hoping to bring transparency to these processes and let people know what their expectations should be.”
There are many parties involved in the processes, from manufacturers to carriers to operating system vendors and even chipset makers, all of which can handle security updates in different ways, said Brookman. “It can be a long time before patches are deployed and in some cases they don’t get deployed. We’re trying to get answers.”
Brookman said he is not sure how long the reviews will take but that reports will be created when the data is collected and then the FTC and FCC will work together to determine the next steps in the efforts. New rules affecting mobile device security could potentially be created or existing rules could be refined, he said, depending on what the reviews uncover. The FCC regulates mobile carriers, but the FTC can also intervene because of past case law, including previous interpretations that bad data security can be unfair to consumers under the law.
“Having a more informed picture of the processes I think is incredibly important,” said Brookman. “There’s a lot of uncertainty about how the security update practices work. I think people have a vague notion about it and we wanted to draw more attention to these practices.”
FCC, FTC Reviewing Mobile Device Security Update Process
Several IT analysts told eWEEK that the joint FTC and FCC action on mobile device security procedures is a good idea.
“Given the security risks facing the average consumer who uses their mobile device to go online or downloads and uses mobile apps, there clearly is a need for better understanding of what their device’s vulnerabilities are and how much they can count not only on their device maker but also on their mobile service provider to keep protections up to date,” said Bill Menezes, an analyst with Gartner.
“This seems primarily a response aimed at the Android community given the platform’s fragmentation among different device makers and different devices,” he added. “But it makes sense even for the more unified OSes, [such as] iOS and Windows Phone, to provide perspective about the threats to them, their known vulnerabilities and how quickly they address them on a day-to-day basis.”
Another analyst, Rob Enderle of Enderle Group, told eWEEK that existing security update processes for mobile devices today are generally inadequate. “Some vendors like Apple and BlackBerry try to drive a more aggressive schedule, but the carriers seem to do their best to assure there is no consistency with regard to when or even if upgrades are done [on a] timely [basis],” said Enderle. “The end result is that massive numbers of people are exposed because of untimely or missing patches. It is well past time when the FTC should have taken interest in this but it is also better late than never.”
Enderle said it will be interesting to see what the agencies learn. “I expect they’ll be appalled at how bad this is now and try for a massive change,” he said.
Charles King, principal analyst at Pund-IT, said the reviews are particularly smart because of the importance of mobile devices in people’s lives today. “With vendors promoting an increasing range of mobile device processes, including using smartphones for banking and retail payments, ensuring safe and secure transactions is a critical issue the FTC [and FCC] should be monitoring.”
As the agencies evaluate and tighten the system, said King, it will be interesting to see how regulators keep up as scammers up their game to defeat tighter security in the future. “It will also be interesting to watch how vendors respond to this move, particularly Apple, which lately has had a thorny relationship with some federal agencies.”