US zooms in on mobile security updates… or their lack of

US regulators have launched an inquiry to discover how exactly iPhones and Android smartphone patches are distributed and whether consumers can find out if and when they’re available.

US telecoms regulator the Federal Communications Commission (FCC) and consumer watchdog the Federal Trade Commission (FTC) have launched a joint inquiry into the state of smartphone security. While the focus is on US carriers and US handset makers, the inquiry may have implications for consumers in other jurisdictions.

One of the main issues is how long and if ever end-user devices actually receive patches distributed by operating system (OS) vendors, and today that basically means Apple and Google for iOS and Android respectively.

The FCC highlights the Stagefright bugs discovered last July — which affected 95 percent of all Android devices and prompted Google, Samsung and LG into monthly security updates — as one of the motivations for launching the investigation.

One of the chief concerns are delays that it takes between the OS vendor creating patches to said patches reaching end-user devices.

“Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. To date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices—and that older devices may never be patched,” the FTC said in a statement.

The FTC has sent a set of questions about update practices to OS and device makers including Apple, Blackberry, Google, HTC America, LG Electronics USA, Microsoft, Motorola Mobility, and Samsung Electronics America.

The FCC has sent a separate set of questions to US carriers, including AT&T, Verizon, T-Mobile, Sprint, and U.S. Cellular, Tracfone Wireless, and T-Mobile US.

The companies have 45 days to respond to the respective orders by the FCC and FTC.

Google-backed research carried out by the UK's University of Cambridge last year found that nearly 90 percent of 20,000 Android devices in the study were exposed to at least one critical bug. The researchers blamed device makers rather than carriers for failing to distribute patches to end-user devices. In the US, carriers are often blamed for failing to deliver security updates.

The FTC wants to know what obstacles that carriers face in delivering updates to devices and where the blame lies for some devices not receiving patches.

When Google announced its monthly updates for Nexus Android devices, which Samsung said it would follow for select Galaxy devices, an HTC US exec said it would not commit to monthly updates, suggesting that carriers prioritised patches for larger vendors due to resource constraints on the carrier side. The exec also highlighted that patching unlocked devices, including Google’s Nexus devices, was different than carrier-specific devices.

The FCC asks carriers to explain in detail the circumstances behind a situation where mobile devices on a network run a modified OS that is unique to the network and whether the carrier is responsible for developing and providing the updates to users.

The FCC goes on to ask if carriers face hurdles in getting consumers to install updates and whether the carrier knows whether updates are actually installed.

It also asks whether the carrier is concerned if it knows whether consumers have installed updates and whether carriers offer consumers a website where they can check if their devices are up to date.

Finally, the FCC wants to find out whether carriers have made commitments in line with Google and Samsung to release monthly updates.

Join the CSO newsletter!

Error: Please check your email address.

Tags sprintiosftcOS VendorAndroidt-mobileT-Mobile USBlackberryU.S. CellularAppleGoogleat&tMicrosoftTracFone WirelessfccSamsung Electronics AmericaMotorola MobilityHTC AmericaLG Electronics USAverizoniPhonesmartphone patches

More about AppleAT&TElectronics USAFCCFederal Communications CommissionFederal Trade CommissionFTCGalaxyGoogleHTCLGMicrosoftMotorolaSamsungSprintT-MobileVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts