The Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) have joined forces in an effort to analyze the security update practices of mobile carriers and device manufacturers.
The FTC announced on Monday that it has ordered Apple, BlackBerry, Google, HTC, LG, Microsoft, Motorola and Samsung to provide information on the factors they take into consideration when deciding if a certain vulnerability should be patched.
The eight companies have also been asked to provide information on the specific mobile devices they have been selling to consumers since 2013, which vulnerabilities affected those devices, and if and when those flaws have been patched.
The FCC has sent out letters to mobile carriers, asking them about their practices for reviewing and releasing security updates for mobile device. The FCC has instructed carriers to answer a set of 20 questions, including consumer-specific questions and ones related to the Stagefright vulnerability affecting the Android operating system.
The FCC is displeased with the fact that while service providers and manufacturers have created fixes, there are significant delays in the delivery of the patches to consumers’ devices and in many cases older smartphones and tablets never get the security updates.
Carriers and device manufacturers have been given 45 days to answer the questions sent by the FTC and the FCC.
“The FTC and FCC’s inquiries demonstrate that it’s no longer safe to assume having security on a device-only level is sufficient. With the multitudes of recent cyber attacks and corresponding delay in security patches, we’re seeing a wide window where user’s sensitive data is exposed and vulnerable. Organizations need to look at security on the application and data level, providing a layer of security when data must be stored on a device, but also keeping as much data off the device as possible,” Kia Behnia, CEO of PowWow Mobile, told SecurityWeek.
“These inquiries will place increased pressure on vendors to speed up the deployment of the security updates. This will also force IT departments to revamp their internal policy around BYOD, putting more restrictions on what types of devices their users can bring into the workplace,” Behnia said.
Related: Asus Settles FTC Charges Over Router Security
Related: Oracle Settles FTC Charges Over Java Security Updates
Related: HTC Settles US Charges of Security Flaws on Devices
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
Latest News
- Malicious NPM, PyPI Packages Stealing User Information
- VMware Confirms Exploit Code Released for Critical vRealize Logging Vulnerabilities
- 98% of Firms Have a Supply Chain Relationship That Has Been Breached: Analysis
- Dutch, European Hospitals ‘Hit by Pro-Russian Hackers’
- Gem Security Gets $11 Million Seed Investment for Cloud Incident Response Platform
- Ransomware Leads to Nantucket Public Schools Shutdown
- Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation and Information Sharing
- Boxx Insurance Raises $14.4 Million in Series B Funding
