FCC, FTC Probe Carriers' Mobile Security Patch Protocols - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Applications
12:05 PM

FCC, FTC Probe Carriers' Mobile Security Patch Protocols

The FCC and the FTC want to know how mobile carriers, such as Verizon Wireless, T-Mobile, and AT&T, are responding to mobile threats and protecting consumers with security patches.

10 Stupid Moves That Threaten Your Company's Security
10 Stupid Moves That Threaten Your Company's Security
(Click image for larger view and slideshow.)

The Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) are joining forces to help determine how long it takes mobile device security updates to roll out to consumers.

The partnership between the two agencies, announced May 9, will examine how patches are distributed.

First, the FTC has ordered eight mobile device manufacturers to provide the agency with information about how they issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices.

In addition, Jon Wilkins, Chief of the FCC's Wireless Telecommunications Bureau, sent a letter to mobile carriers asking questions about their processes for reviewing and releasing security updates for mobile devices.

(Image: james Anderson/iStockphoto)

(Image: james Anderson/iStockphoto)

In an interview with Bloomberg, Neil Grace, a spokesman for the FCC, confirmed that the carriers are AT&T, Verizon Wireless, T-Mobile, Sprint, U.S. Cellular Corp., and TracFone Wireless.

"Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered," an FCC release stated. "To date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices -- and that older devices may never be patched."

Of the growing number of vulnerabilities associated with mobile operating systems, the FCC specifically singled out the Stagefright bug in the Android operating system, which could affect almost 1 billion Android devices worldwide.

Stagefright can be exploited through a malicious audio or video file. The bug is in how Android processes metadata, so the target doesn't need to actually open the audio or video file, but merely preview it.

[Read how the FCC is asking ISP to protect consumer privacy.]

In the letter to carriers, the FCC requests that these companies provide the agency with a detailed response to the matter of mobile security patches within 45 days of the date of the letter. The letter also notes the FTC is separately seeking information from operating system providers and original equipment manufacturers.

"We hope that the efforts of our two agencies will lead to a greater understanding of what is being done today to address mobile device vulnerabilities -- and what can be done to improve mobile device consumer safety and security in the future," the letter states.

The 20-question form, also available to read online, is broken down into four areas, including general questions, development and release of security updates questions, consumer-specific questions, and Stagefright-specific questions.

According to the FTC's request, among the information that carriers must provide under the orders are: the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device, detailed data on the specific mobile devices they have offered for sale to consumers since August 2013, the vulnerabilities that have affected those devices, and whether and when the company patched such vulnerabilities.

The orders issued by the FTC are part of the agency's ongoing efforts to understand the security of consumers' mobile devices, including a workshop in 2013 and a follow-on public comment period in 2014.

Nathan Eddy is a freelance writer for InformationWeek. He has written for Popular Mechanics, Sales & Marketing Management Magazine, FierceMarkets, and CRN, among others. In 2012 he made his first documentary film, The Absent Column. He currently lives in Berlin. View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll