When it comes to the often slow pace of security updates being pushed to the mobile devices that are at center of our daily digital lives, both the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) are looking for some answers. The FCC is taking U.S. wireless carriers (like AT&T, Verizon Wireless, and T-Mobile) to task while the FTC has hit up top hardware manufacturers including Apple, Google, Samsung, Microsoft, and HTC.
At a time when U.S. intelligence agencies like the FBI and NSA are looking for ways to use vulnerabilities to their advantage to solve crimes and in some cases potentially abuse power, the FCC instead wants to ensure that wireless carriers are providing security updates in a timely fashion to protect customers.
The FCC makes references to exploits like Stagefright, which left millions of Android devices vulnerable around the world, before adding:
Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. To date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices—and that older devices may never be patched.
In a letter sent separately to device makers, the FTC is asking for information on the following:
- the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device
- detailed data on the specific mobile devices they have offered for sale to consumers since August 2013
- the vulnerabilities that have affected those devices
- whether and when the company patched such vulnerabilities
In the end, the FTC and the FCC want more transparency in how significant exploits are identified and to ensure that devices don’t get left behind when it comes to security updates. Some device makers would rather sell you a new smartphone than to provide you with updates to a device that may be a little less than two years old.
Both agencies essentially want “No Consumer Left Behind” when it comes to security updates, but that may be easier said than done given the often disjointed relationship between device makers and wireless carriers, especially on the Android side of things.