In today's rapidly changing cyber threat environment, the federal government needs to take a lead role in making sure mobile device security is adequate, says security researcher Stephen Cobb.
That's why the recently launched investigations by two federal agencies into the security practices of major mobile device makers and wireless carriers are so important, says Cobb, senior security researcher at the security company ESET, in an interview with Information Security Media Group.
Earlier this month, the Federal Trade Commission and the Federal Communications Commission sent letters to eight mobile device makers and six wireless carriers, respectively, posing questions about their security practices.
The regulators want to learn more about how these companies release and distribute security updates to address vulnerabilities in mobile devices.
The inquiries are "clearly, within the American way of doing things - the balancing of private sector self-regulations and market forces, but also [government] regulation," Cobb says. "We are facing a situation that will only get worse if we don't impose tighter security on the digital ecosystem."
Cybercriminals are gaining more sophisticated capabilities for capitalizing on mobile device vulnerabilities, Cobb says. "Every time there's a new exploit developed or a new way of attacking things - such as we saw with the Stagefright vulnerability on Android [devices] - that goes into the malware factory, and if it can't be exploited right away, it's kind of put on hold," he says.
"But there's a very, very organized methodical, market-based approach to abusing this technology, and it's a formidable adversary. So it's entirely valid that any point in time the government thinks more could or should be done, they need to make that known."
FTC, FCC Scrutiny
In a May 9 statement, the FTC said it issued orders to eight mobile device manufacturers "requiring them to provide the agency with information about how they issue security updates to address vulnerabilities in smartphones, tablets and other mobile devices.
The FTC sent its requests to Apple, Blackberry, Google, HTC America, LG Electronics USA, Microsoft Corp., Motorola Mobility and Samsung Electronics America.
Similarly, the FCC issued a statement saying it "sent a letter to mobile carriers asking questions about their processes for reviewing and releasing security updates for mobile devices."
The FCC sent its inquiries to AT&T, Verizon, Sprint, T-Mobile, US Cellular and Tracfone.
Pushing Out Patches
Cobb says the FTC and FCC want to know what device makers and wireless networks are doing "to make sure that when vulnerabilities are found, that patches are created and pushed out to close that window for exploitation."
The regulators are concerned, he says, because unpatched vulnerabilities can, for example, enable cybercriminals to steal credit card information or personal IDs or launch ransomware schemes.
In this in-depth interview (see audio player below photo), Cobb also discusses:
Mobile security vulnerabilities that are most worrisome to users as well as enterprises; Steps that organizations can take to improve the security of mobile devices; Similarities between security challenges involving mobile device and the security risks posed by medical devices.Cobb has specialized in information assurance and data privacy for more than 20 years, advising government agencies and some of the world's largest companies on information security strategy. He currently leads a team of researchers at the North American headquarters of ESET. Cobb has written a book on data privacy and contributed numerous chapters to information security textbooks.