FCC, FTC Reviewing Mobile Device Security Update Process

Mobile carriers and device makers update devices and operating systems with no set patterns, which can endanger mobile security for users.

FTC and FCC actions

The spotty way that mobile devices and mobile operating systems receive security updates from device vendors and mobile carriers today is about to get the attention of the FCC and the FTC.

The two federal agencies announced separately on May 9 that they are beginning reviews into how security updates are made at the carrier and device maker levels so they can determine if regulations need to be created to better protect consumers and business users from security threats and vulnerabilities that can take advantage of old, unpatched computer code.

To investigate the complex security update environment, the Federal Trade Commission issued orders to eight mobile device makers—Apple; Blackberry; Google; HTC America; LG Electronics USA; Microsoft; Motorola Mobility and Samsung Electronics America—"requiring them to provide the agency with information about how they issue security updates to address vulnerabilities in smartphones, tablets and other mobile devices."

The companies must provide details about "the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device," as well as "detailed data on the specific mobile devices they have offered for sale to consumers since August 2013." Also required is information on all security vulnerabilities that have affected those devices and details about whether and when the company patched such vulnerabilities.

In a separate action, the Federal Communications Commission's Wireless Bureau joined the FTC's inquiry and sent out its own letters to mobile carriers asking about how they review and release security updates for mobile devices that they sell, according to the agency. The big four carriers—AT&T, Sprint, T-Mobile and Verizon—are among the companies receiving the FCC letters.

The requests from both agencies include security update details on devices such as smartphones, tablets and mobile computers. The security update reviews are being conducted because, as more people use mobile broadband services for work and leisure, "the safety of their communications and other personal information is directly related to the security of the devices they use," the FCC said in a statement. "There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user's device, including 'Stagefright' in the Android operating system, which may affect almost 1 billion Android devices globally."

That can leave consumers unprotected from attacks if their devices are not patched routinely, and therein lies the problem, the agency said. "To date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices—and that [can mean that] older devices may never be patched."

Justin Brookman, a spokesman for the FTC's Bureau of Consumer Protection, told eWEEK that the agencies want to get answers to many questions surrounding these issues and then will analyze those answers before deciding if any regulatory actions are needed in the future.

"The first matter is about getting a sense of how this all works" from the manufacturers and carriers, he said. "We will be doing information gathering and are hoping to bring transparency to these processes and let people know what their expectations should be."

There are many parties involved in the processes, from manufacturers to carriers to operating system vendors and even chipset makers, all of which can handle security updates in different ways, said Brookman. "It can be a long time before patches are deployed and in some cases they don't get deployed. We're trying to get answers."

Brookman said he is not sure how long the reviews will take but that reports will be created when the data is collected and then the FTC and FCC will work together to determine the next steps in the efforts. New rules affecting mobile device security could potentially be created or existing rules could be refined, he said, depending on what the reviews uncover. The FCC regulates mobile carriers, but the FTC can also intervene because of past case law, including previous interpretations that bad data security can be unfair to consumers under the law.

"Having a more informed picture of the processes I think is incredibly important," said Brookman. "There's a lot of uncertainty about how the security update practices work. I think people have a vague notion about it and we wanted to draw more attention to these practices."