FTC, FCC Launch Mobile Security Inquiries

Mobility

Regulators Demand Details From Device Manufacturers, Wireless Carriers FTC, FCC Launch Mobile Security Inquiries

Two federal agencies have launched security investigations of mobile device makers and wireless carriers, citing growing concerns over vulnerabilities that threaten "the security and integrity" of these products and services. In particular, the regulators say they are examining how security patches are distributed.

See Also: Secure, Agile Mobile Banking: Keeping Pace with Last Best User Experience

In a May 9 statement, the Federal Trade Commission says it issued orders to eight mobile device manufacturers "requiring them to provide the agency with information about how they issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices."

The FTC says it issued the orders to Apple, Blackberry, Google, HTC America, LG Electronics USA, Microsoft Corp., Motorola Mobility and Samsung Electronics America.

Similarly, the Federal Communications Commission issued a statement saying it "sent a letter to mobile carriers asking questions about their processes for reviewing and releasing security updates for mobile devices."

The FCC says it has sent its inquiries to six mobile carriers: AT&T, Verizon, Sprint, T-Mobile, US Cellular, and Tracfone. Because these carriers represent the majority of U.S. wireless service, they can provide the commission with information that applies to most mobile devices, the FCC says.

"As consumers and businesses turn to mobile broadband to conduct ever more of their daily activities, the safety of their communications and other personal information is directly related to the security of the devices they use," the FCC says.

A growing number of vulnerabilities have been associated with mobile operating systems that threaten the security and integrity of a user's device, the FCC notes, including "Stagefright" in the Android operating system, which may affect almost 1 billion Android devices globally.

"Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered," the FCC says.

The FCC asserts that while operating system providers, original equipment manufacturers and mobile service providers have responded to address vulnerabilities as they arise, "there are, however, significant delays in delivering patches to actual devices - and older devices may never be patched."

FCC Questions

The FCC is giving the carriers 45 days to respond to a number of questions, including:

Does the carrier face issues or hurdles in releasing security updates for operating systems to consumers? Do any mobile devices on the carrier's network run an operating system that is modified for or is unique to the carrier? And if so, what percent of the devices on the carrier's network do those operating systems represent? For those operating systems, is the carrier responsible for developing and providing security updates? Does the carrier face any additional issues or hurdles in releasing security updates for such OS to consumers? Does the carrier face particular issues or hurdles in getting consumers to install updates for either a modified OS or required software on mobile devices as they are made available? Could unpatched, non-updated devices on the carrier's network impact or harm the functionality of that network or carriers' ability to provide effective service?

FTC's Inquiry

In the FTC's inquires sent to the mobile device makers, the commission is asking for information that includes:

The factors that they consider in deciding whether to patch a vulnerability on a particular mobile device; Detailed data on the specific mobile devices they have offered for sale to consumers since August 2013; The vulnerabilities that have affected those devices; and Whether and when the company patched such vulnerabilities.

"The commission is seeking to compile data concerning policies, procedures and practices for providing security updates to mobile devices offered by unnamed persons, partnerships, corporations, or others in the U.S.," the FTC writes.