FCC, FTC Probe Carriers' Mobile Security Patch Protocols

10 Stupid Moves That Threaten Your Company's Security

The Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) are joining forces to help determine how long it takes mobile device security updates to roll out to consumers.

The partnership between the two agencies, announced May 9, will examine how patches are distributed.

First, the FTC has ordered eight mobile device manufacturers to provide the agency with information about how they issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices.

In addition, Jon Wilkins, Chief of the FCC's Wireless Telecommunications Bureau, sent a letter to mobile carriers asking questions about their processes for reviewing and releasing security updates for mobile devices.

In an interview with Bloomberg, Neil Grace, a spokesman for the FCC, confirmed that the carriers are AT&T, Verizon Wireless, T-Mobile, Sprint, U.S. Cellular Corp., and TracFone Wireless.

"Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered," an FCC release stated. "To date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices -- and that older devices may never be patched."

Of the growing number of vulnerabilities associated with mobile operating systems, the FCC specifically singled out the Stagefright bug in the Android operating system, which could affect almost 1 billion Android devices worldwide.

Stagefright can be exploited through a malicious audio or video file. The bug is in how Android processes metadata, so the target doesn't need to actually open the audio or video file, but merely preview it.

[Read how the FCC is asking ISP to protect consumer privacy.]

In the letter to carriers, the FCC requests that these companies provide the agency with a detailed response to the matter of mobile security patches within 45 days of the date of the letter. The letter also notes the FTC is separately seeking information from operating system providers and original equipment manufacturers.

"We hope that the efforts of our two agencies will lead to a greater understanding of what is being done today to address mobile device vulnerabilities -- and what can be done to improve mobile device consumer safety and security in the future," the letter states.

The 20-question form, also available to read online, is broken down into four areas, including general questions, development and release of security updates questions, consumer-specific questions, and Stagefright-specific questions.

According to the FTC's request, among the information that carriers must provide under the orders are: the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device, detailed data on the specific mobile devices they have offered for sale to consumers since August 2013, the vulnerabilities that have affected those devices, and whether and when the company patched such vulnerabilities.

The orders issued by the FTC are part of the agency's ongoing efforts to understand the security of consumers' mobile devices, including a workshop in 2013 and a follow-on public comment period in 2014.