Do smartphone makers and wireless carriers fix security bugs and other vulnerabilities fast enough?
The Federal Trade Commission (FTC) and Federal Communications Commission (FCC) want the largest smartphone manufacturers, software developers, and wireless carriers in the United States to answer this question.
The federal regulators both issued statements Monday requiring the 12 companies to explain how they issue updates to address security vulnerabilities, as questions linger about how a security flaw in Google Android's Stagefright multimedia playback engine were resolved.
"There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device," reads the FCC statement, which references the Stagefright bug.
The letter praises software developers, manufacturers, and carriers' responses in developing patches, or fixes, to address these vulnerabilities.
"There are, however, significant delays in delivering patches to actual devices – and that older devices may never be patched," reads the letter.
The FCC sent letters to the four largest wireless carriers in the US – AT&T, Sprint, T-Mobile, and Verizon Wireless – writing it wants to better understand "their processes for reviewing and releasing security updates for mobile devices." The FTC, meanwhile, ordered eight smart manufacturers and software developers, including Apple, Google, and Microsoft, to complete a report that explains their "policies, procedures, and practices" for developing security updates and delivering them to customers.
The regulators' concerns are far from unfounded. More Americans own smartphones than ever before. Sixty-four percent of Americans own a smartphone, according to a 2015 study by the Pew Research Center, with 85 percent of 18 to 29 year olds owning a phone, and 79 percent of 30 to 49 year olds owning one. And many Americans conduct online banking or look up government services or information on their phone, perhaps typing in confidential information in the process, the study found.
It wouldn't be far-fetched to guess these percentages have increased since the survey was conducted in 2014, as smartphones and applications have become more affordable and user-friendly. It's no wonder regulators want to ensure a scenario like Stagefright doesn't repeat itself.
The flaw in Google's Android mobile operating system allowed attackers to take control of someone's device just by sending a text message, The Christian Science Monitor reported in July.
An attacker could gain control over Bluetooth, video, audio, and the microphone – enough to turn a phone into a spycam, and on many phones, the attacker could gain complete control of the device.
Security professionals have long been critical of Google over its Android update practices, wrote Joe Uchill in the Passcode article.
"When bugs affect Android versions that Google still supports, the company writes a patch, sends it to phone manufacturers, and counts on companies such as Samsung or Motorola to update their customers' phones. But many manufacturers do not treat updates with urgency. If a bug affects a version of Android that Google no longer supports, phone manufacturers can develop patches on their own, but few ever do."
As these two federal agencies step in, others in Washington have criticized the government having "back doors" in devices that would allow them (and hackers) to break into a device.