We trust our smartphones with an astounding amount of information, but all too often those devices may not be protected with the latest security fixes. That’s the problem at the heart of a new government project announced Monday in which the Federal Communications Commission and the Federal Trade Commission are teaming up to examine the sometimes messy way security patches are delivered to consumers’ smartphones.
As part of the new push, the FTC and FCC will each study the roles that different parts of the smartphone ecosystem play in delivering security updates. The FTC will focus on handset manufacturers – some of whom are also the companies behind the software that dominates the smartphone arena. It’s sending out orders requesting reports from Apple, BlackBerry, Google, HTC, LG, Microsoft, Motorola and Samsung. The agency wants them to detail things such as how the security update process works from their perspective, what vulnerabilities they’ve found affecting their devices since August 2013, and what they did about them. The FCC is making similar inquires to wireless carriers Verizon, AT&T, Sprint, T-Mobile, TracFone and U.S. Cellular.
The specter looming over the inquiries is a fragmented market built up around Google’s Android mobile operating system. In part because Google offers up Android for free, there are many different manufacturers running their own version of the software on their devices. Wireless carriers, too, may tweak the software. And both may end up serving as gatekeepers that control what updates make it out to which devices and when. So even if Google is quick to fix a problem, users may not end up getting the patch anytime soon — or at all.
“It’s a logistics nightmare. And as a result, most phones are lucky to receive any updates,” said Christopher Soghoian, the principal technologist at the American Civil Liberties Union’s Speech, Privacy, and Technology Project. (Rival Apple makes iPhones itself and has more direct control over the update pipeline for its iOS software.)
These delayed security updates aren’t a new problem. In fact, Soghoian worked on a 2013 complaint asking the FTC to investigate major wireless carriers over unpatched Android smartphone security flaws. And recent Android security struggles are at least part of why the FTC and the FCC are scrutinizing the mobile security update process now: A press release about the new project from the FCC cited a major Android bug called “Stagefright” that was discovered last year.
Both the FTC and the FCC have touched on mobile security before. In 2013, HTC agreed to settle FTC charges it had failed to reasonably secure software developed for its smartphones and tablet computers. Meanwhile, that same year FCC issued a ruling that said telecommunications providers are responsible for securing the information they collect from consumers via their mobile devices.
But the distribution of companies in the new inquiry points to a jurisdictional split between the two agencies that may be why the government hasn’t broadly tackled the problem of delayed smartphone patches until now, according to Soghoian: Given that there are so many players, some of which are telecom companies, it was somewhat unclear which would end up taking the lead on the issue, he said.
In a way, that divide somewhat mirrors how companies involved in the Android update process have approached the issue, according to Soghoian.
“Everyone points fingers at everyone else. But then consumers are left with out-of-date, insecure devices that leave them vulnerable to criminals,” he said.
(c) 2016, The Washington Post · Andrea Peterson