US Regulators Probe Mobile Patch Work

Government Keen to Know the Process of Security Updates


This week, the US Federal Communications Commission together with the Federal Trade Commission sent letters to the country’s top wireless carriers and device makers requesting information on their process of patching on-device software vulnerabilities. These companies are required to provide a list of mobile device models available on the US market since August 2013, as well as vulnerabilities associated with the equipment, and whether patches have been offered.

Specifically, the Federal Trade Commission has sought information from eight device manufacturers and mobile platform suppliers: Apple, BlackBerry, Google, HTC, LG, Microsoft, Motorola and Samsung. The Federal Communications Commission made a similar request of the country’s major wireless carriers: AT&T, Verizon Wireless, T-Mobile, Sprint, US Cellular and TracFone. Unlike in many markets, carriers in the US tend to issue the vast majority of consumer equipment and thus take responsibility for phone updates.

The regulators say they’re trying to ascertain the threats consumers face and to get some idea of how long devices might be susceptible to those risks. The inquiry comes in the wake of several high-profile vulnerabilities that exposed security issues in Android and iOS platforms in the past year. For example, last summer Android devices were threatened with the Stagefright virus, which enabled hackers to take over the device with just a text message.

Companies such as Google, Microsoft and Twitter have a rewards program that pays third-party hackers to discover vulnerabilities. Last week, a 10-year-old Finnish boy received a $10,000 reward from Facebook for spotting a bug in Facebook-owned Instagram, becoming the youngest hacker to receive payout from the social media giant.

The mobile industry has long faced concerns about the speed and frequency of security updates. This has been more of a problem for Android devices given the system’s larger number of users and more open approach, though Google has recently promised to update Android security more regularly. In addition, Android has benefitted from the incorporation of Samsung’s Knox security efforts as the platform’s supporters strive to overcome the perception of poor security. Samsung and LG have also pledged to start pushing out updates monthly. As the smartphone penetration rate in the US reaches 75 percent and subscribers use the devices for a growing number of sensitive tasks, the potential for major disruptions grows.