The FCC (US Federal Communications Commission) reports its ‘Wireless Telecommunications Bureau Chief Jon Wilkins sent a letter to mobile carriers asking questions about their processes for reviewing and releasing security updates for mobile devices.’
In order to gain a better understanding of security in the mobile ecosystem, the FTC (Federal Trade Commission) reports it has ‘issued orders to eight mobile device manufacturers (PDF Link) requiring them to provide the agency with information about how they issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices.’
The FCC says that ‘as consumers and businesses turn to mobile broadband to conduct ever more of their daily activities, the safety of their communications and other personal information is directly related to the security of the devices they use.
‘There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device, including ‘Stagefright’ in the Android operating system, which may affect almost 1 billion Android devices globally.
‘Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. To date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise,’ continued the FCC.
The FCC warns, however, that there exists ‘significant delays in delivering patches to actual devices, and that older devices may never be patched.’
The FCC says it will ‘continue its longstanding partnership and work cooperatively with the FTC on this issue,’ and that ‘responses to the letters will inform discussions with industry about possible solutions and be shared with the FTC.’
More below, please read on.
Meanwhile, the FCC says that ‘among the information recipients must provide under the orders are:’
- the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device;
- detailed data on the specific mobile devices they have offered for sale to consumers since August 2013;
- the vulnerabilities that have affected those devices; and
- whether and when the company patched such vulnerabilities.
The FTC says the ‘orders issued today are part of the FTC’s ongoing efforts to understand the security of consumers mobile devices, including a workshop in 2013 and a follow-on public comment period in 2014.’
The FTC notes the FCC ‘is conducting a separate, parallel inquiry into common carriers’ policies regarding mobile device security updates.’
The FTC notes it is ‘authorised to issue Orders to File a Special Report by Section 6(b) of the FTC Act,’ and that the FTC vote ‘to issue the orders was 3-0.’