Security Experts:

FCC, FTC Investigate Mobile Device Patching Practices

The Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) have joined forces in an effort to analyze the security update practices of mobile carriers and device manufacturers.

The FTC announced on Monday that it has ordered Apple, BlackBerry, Google, HTC, LG, Microsoft, Motorola and Samsung to provide information on the factors they take into consideration when deciding if a certain vulnerability should be patched.

The eight companies have also been asked to provide information on the specific mobile devices they have been selling to consumers since 2013, which vulnerabilities affected those devices, and if and when those flaws have been patched.

The FCC has sent out letters to mobile carriers, asking them about their practices for reviewing and releasing security updates for mobile device. The FCC has instructed carriers to answer a set of 20 questions, including consumer-specific questions and ones related to the Stagefright vulnerability affecting the Android operating system.

The FCC is displeased with the fact that while service providers and manufacturers have created fixes, there are significant delays in the delivery of the patches to consumers’ devices and in many cases older smartphones and tablets never get the security updates.

Carriers and device manufacturers have been given 45 days to answer the questions sent by the FTC and the FCC.

“The FTC and FCC’s inquiries demonstrate that it’s no longer safe to assume having security on a device-only level is sufficient. With the multitudes of recent cyber attacks and corresponding delay in security patches, we’re seeing a wide window where user’s sensitive data is exposed and vulnerable. Organizations need to look at security on the application and data level, providing a layer of security when data must be stored on a device, but also keeping as much data off the device as possible,” Kia Behnia, CEO of PowWow Mobile, told SecurityWeek.

“These inquiries will place increased pressure on vendors to speed up the deployment of the security updates. This will also force IT departments to revamp their internal policy around BYOD, putting more restrictions on what types of devices their users can bring into the workplace,” Behnia said.

Related: Asus Settles FTC Charges Over Router Security

Related: Oracle Settles FTC Charges Over Java Security Updates

Related: HTC Settles US Charges of Security Flaws on Devices

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.