Two U.S. federal agencies, the Federal Communications Commission (FCC) and Federal Trade Commission (FTC), have launched a corresponding inquiry on how major mobile carriers and manufacturers deploy security updates on smartphone devices and how long it takes them to patch vulnerabilities.
The FCC and FTC have reached out to several network carriers including AT&T, Sprint, T-Mobile, U.S. Cellular, and Verizon, as well as eight mobile device manufacturers such as Apple, BlackBerry, Google, HTC, LG, Microsoft, Motorola, and Samsung, to release information on how they process and issue security updates for mobile devices.
The FTC is requiring the mobile device manufacturers to provide detailed information about the factors considered in deciding which vulnerability to patch; the full specifications of mobile devices that have been sold since August 2013; the vulnerabilities discovered in those devices; and the confirmation whether these vulnerabilities have already been patched by the manufacturers.
"We're attempting to get an assessment on the state of what carriers do to push out patches for device vulnerabilities, how quickly they do it, and what are some of the barriers and challenges they have," Neil Grace, a spokesman for the FCC, said.
Often, operating system vendors such as Google are not allowed to push updates directly to consumers. Network carriers require their vendors to submit the requested software update before it gets released to the users. As part of the inquiry, the FTC wants to know when software and chip vendors advise mobile device manufacturers about the vulnerabilities, and how quickly security updates are issued, if need be.
According to the FCC and FTC, as more consumers use their mobile phones to store important data and personal information, the recent rise in security attacks targeting smartphone devices is concerning.
In 2015, the Stagefright vulnerability hit millions of Android phone users. The Stagefright vulnerability used a classic buffer overrun exploit to launch a malicious code on victims' Android devices running the Froyo OS. The attackers only needed the victims' cellphone number to send a malicious payload in the form of a specially encoded MP4 file, embedded as an MMS.
Following the Stagefright scare, Google and other manufacturers have been providing monthly security updates to tighten the security of Android devices. In the most recent Marshmallow update, a "security patch level" is displayed in the About section of the phone for users to access, and security patches can be completed independent of major OS releases.
Photo: Joi Ito | Flickr