Malware

Feds to Take a Hard Look at Mobile Device Patch Practices

The U.S. Federal Trade Commission and the Federal Communications Commission on Monday announced a joint investigation into the issue of mobile device security updates.

The FTC issued an order requiring eight mobile device manufacturers — Apple, BlackBerry, Google, HTC America, LG Electronics USA, Microsoft, Motorola Mobility and Samsung Electronics America — to provide information about how they issue security updates to address mobile device vulnerabilities.

The information they must provide includes the following:

  • What factors they consider when deciding whether to patch a vulnerability;
  • Detailed data on the mobile devices they’ve offered for sale since August 2013;
  • The vulnerabilities that have affected those devices; and
  • Whether and when they patched the vulnerabilities.

FTC members voted unanimously to issue the order under Section 6(b) of the FTC Act.

It’s part of the commission’s ongoing efforts to understand the security of consumers’ mobile devices, which included a workshop in 2013 and a follow-up public comment period in 2014.

Carrier Focus

On Monday, Jon Wilkins, the FCC’s Wireless Telecommunications Bureau chief, wrote to wireless carriers asking about their processes for releasing security updates.

His letter is divided into four sections: general questions, questions about the development and release of security updates, consumer-specific questions, and questions specific to the Stagefright Android bug.

The letter was sent to AT&T, Verizon, T-Mobile, U.S. Cellular, Sprint and TracFone, FCC spokesperson Neil Grace said.

“The letters were sent yesterday, so I can’t confirm that we’ve received responses,” he told TechNewsWorld.

Reason for Concern

America’s shift to mobile devices has been speeding up. Meanwhile, vulnerabilities associated with mobile operating systems, including Stagefright — which may affect almost 1 billion Android devices worldwide — are increasing, the FCC said.

NorthBit earlier this year detailed anew version of Stagefright, named “Metaphor,” which affects 30 percent of all Android devices.

Delays in patching vulnerabilities could leave consumers unprotected for long periods, the FCC asserted. OS providers, original equipment manufacturers and mobile service providers have addressed vulnerabilities as they arise, but there are significant delays in delivering patches to devices, and older devices might never get patched.

Features First

Carriers may delay updates because they first want to test them for reliability and compatibility with their own software and apps.

“The carriers are saying that maintaining a base of unique software features is more important than the consumer’s safety and security,” said Rob Enderle, principal analyst at the Enderle Group.

“This shouldn’t be an either/or problem, but since they make it that, safety and security should come first,” he told TechNewsWorld.

Nearly 28 million Android devices with medical apps are likely to house high-risk malware,Skycure has found.

Complicating the issue, 26 percent of Android devices worldwide run Android 4.3, released in 2013, or earlier, according toStatista.

Neither OEMs nor OS providers want to update older devices or versions of the OS, partly because of the cost and partly because older devices don’t have the muscle to run new versions of Android.

However, OS suppliers and OEMs want the patches to be applied quickly, Enderle pointed out, and that “could lead to a massive reduction in control by the carriers.”

Regulatory Oversight

“Government’s first focus is on their citizens, and right now those citizens are badly exposed as a result of [carriers’] ill-conceived practices,” he said.

That said, “for the FCC to assert regulatory oversight in this area so everybody has to file plans for rolling updates is going to slow things down,” noted Mike Jude, program manager, Stratecast/Frost & Sullivan.

“The vendors will probably take them to court,” he told TechNewsWorld, “because regulatory oversight will increase costs, slow down maintenance of devices, force vendors to support archaic devices, and make the cost of updating unmaintainable.”

Richard Adhikari

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Malware

Technewsworld Channels