FCC, FTC Probe Carriers' Mobile Security Patch Protocols - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile // Mobile Applications
News
5/10/2016
12:05 PM
50%
50%

FCC, FTC Probe Carriers' Mobile Security Patch Protocols

The FCC and the FTC want to know how mobile carriers, such as Verizon Wireless, T-Mobile, and AT&T, are responding to mobile threats and protecting consumers with security patches.

10 Stupid Moves That Threaten Your Company's Security
10 Stupid Moves That Threaten Your Company's Security
(Click image for larger view and slideshow.)

The Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) are joining forces to help determine how long it takes mobile device security updates to roll out to consumers.

The partnership between the two agencies, announced May 9, will examine how patches are distributed.

First, the FTC has ordered eight mobile device manufacturers to provide the agency with information about how they issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices.

In addition, Jon Wilkins, Chief of the FCC's Wireless Telecommunications Bureau, sent a letter to mobile carriers asking questions about their processes for reviewing and releasing security updates for mobile devices.

(Image: james Anderson/iStockphoto)

(Image: james Anderson/iStockphoto)

In an interview with Bloomberg, Neil Grace, a spokesman for the FCC, confirmed that the carriers are AT&T, Verizon Wireless, T-Mobile, Sprint, U.S. Cellular Corp., and TracFone Wireless.

"Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered," an FCC release stated. "To date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices -- and that older devices may never be patched."

Of the growing number of vulnerabilities associated with mobile operating systems, the FCC specifically singled out the Stagefright bug in the Android operating system, which could affect almost 1 billion Android devices worldwide.

Stagefright can be exploited through a malicious audio or video file. The bug is in how Android processes metadata, so the target doesn't need to actually open the audio or video file, but merely preview it.

[Read how the FCC is asking ISP to protect consumer privacy.]

In the letter to carriers, the FCC requests that these companies provide the agency with a detailed response to the matter of mobile security patches within 45 days of the date of the letter. The letter also notes the FTC is separately seeking information from operating system providers and original equipment manufacturers.

"We hope that the efforts of our two agencies will lead to a greater understanding of what is being done today to address mobile device vulnerabilities -- and what can be done to improve mobile device consumer safety and security in the future," the letter states.

The 20-question form, also available to read online, is broken down into four areas, including general questions, development and release of security updates questions, consumer-specific questions, and Stagefright-specific questions.

According to the FTC's request, among the information that carriers must provide under the orders are: the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device, detailed data on the specific mobile devices they have offered for sale to consumers since August 2013, the vulnerabilities that have affected those devices, and whether and when the company patched such vulnerabilities.

The orders issued by the FTC are part of the agency's ongoing efforts to understand the security of consumers' mobile devices, including a workshop in 2013 and a follow-on public comment period in 2014.

Nathan Eddy is a freelance writer for InformationWeek. He has written for Popular Mechanics, Sales & Marketing Management Magazine, FierceMarkets, and CRN, among others. In 2012 he made his first documentary film, The Absent Column. He currently lives in Berlin. View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
8 AI Trends in Today's Big Enterprise
Jessica Davis, Senior Editor, Enterprise Apps,  9/11/2019
Slideshows
IT Careers: 10 Places to Look for Great Developers
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/4/2019
Commentary
Cloud 2.0: A New Era for Public Cloud
Crystal Bedell, Technology Writer,  9/1/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
Slideshows
Flash Poll