The feds are ramping up for war on bad mobile security
Apple, Google, and a host of other smartphone makers and US carriers have found themselves the subject of a mobile security investigation. The Federal Trade Commission (FTC) and Federal Communications Commission (FCC) have kicked off a joint inquiry to figure out how smartphones and other devices are kept secure and up-to-date, given the increasing number of hacking attempts and the amount of personal data users now generally carry around in their pockets or purses.
The FTC has contacted Apple, Blackberry, Alphabet's Google, HTC, LG, Microsoft, Motorola, and Samsung, while the FCC has done the same with six US carriers, including AT&T, Sprint, T-Mobile, and Verizon.
On the device and software side, the FTC has requested more information on what factors affect when they decide whether or not to address vulnerabilities, as well as examples of cases when that has taken place in any devices sold since August 2013.
For carriers, meanwhile, there are questions around the hurdles of developing and delivering security updates, the potential impact of modified OSes – like the customized Android builds some operators insist upon – and to what extent unpatched vulnerabilities could damage the networks.
The FCC is also curious about whether carriers know if subscribers are actually installing updates, and – if they're not – if there's concern about that.
Though it's early days in the inquiry, there are already some interesting aspects of the two agencies questioning that could have a big impact on consumers' devices.
For instance, the FCC is seemingly particularly interested in timescales for addressing vulnerabilities, and the delays involved in dealing with customized software. Figuring out the point where security support ends – and how that's communicated – is also raised:
"How does [Carrier] decide when to discontinue security update support? Are consumers notified at the time of sale how long security updates will be provided or supported for their device by [Carrier]? Are consumers notified when security updates to their mobile devices are no longer supported? What are consumers' options for protecting themselves against security vulnerabilities after such discontinuance by [Carrier]?" FCC
The trigger for this renewed level of questioning has been Stagefright, the Android vulnerability which made headlines in 2015 and prompted several device-makers to promise monthly security patches.
Now, the FTC and FCC appear to be trying to pin down accountability for making sure those patches actually reach – and are installed on – devices in the wild.
"Has [Carrier] made a similar commitment to expedite the release of the monthly security updates as they become available?" the FCC asks of the networks. "Have such monthly updates been made available and, if so, has [Carrier] begun to release those updates as they become available? How many have been made available and how many has [Carrier] released?"
The impact on security of Android fragmentation, where various different devices run multiple versions of the core OS, has increasingly become a concern as the platform gains traction. No longer limited to smartphones and tablets, but increasingly seen on other mobile devices, in the Internet of Things (IoT), and the smart home, loopholes can potentially allow hackers not only access to contacts and email, but a worryingly broad variety of information.
Though Apple's iOS is often considered more resilient, that's not to say it's been free of malware attempts in the past too.
What, exactly, the FTC and FCC plan to do about it remains to be seen, but a new focus on timeliness of reactions and a commitment to which devices are eligible for updates and patches seems on the cards.