Top U.S. wireless carriers Verizon, AT&T, Sprint and T-Mobile were among a number of companies to be queried by Federal Communications Commission (FCC) and Federal Trade Commission (FTC) Monday as part of an investigation into mobile device security.
The FCC said Monday it reached out to at least six U.S. wireless carriers seeking information about their procedures for reviewing and releasing security updates. Additionally, the FTC has ordered eight mobile device manufacturers to provide information about how they issue security updates to address vulnerabilities across a variety of devices, including smartphones and tablets.
“As consumers and businesses turn to mobile broadband to conduct ever more of their daily activities, the safety of their communications and other personal information is directly related to the security of the devices they use,” the FCC wrote in its press release. “There are, however, significant delays in delivering patches to actual devices—and older devices may never be patched.”
An FCC spokesman said Verizon, AT&T, T-Mobile, Sprint, U.S. Cellular and Tracfone were among the carriers queried by that agency. The FTC said the manufacturers involved in its investigation include Apple, Blackberry, Google, HTC America, LG Electronics USA, Microsoft, Motorola Mobility and Samsung Electronics America.
In its letter to carriers, the FCC asked a total of 20 questions related to policies and practices surrounding device security. Questions included:
- Do any mobile devices on [Carrier]’s network run an OS that is modified for or is unique to [Carrier] and if so, what percent of the devices on [Carrier]’s network do they represent? With respect to such OS, is [Carrier] responsible for developing and providing security updates? Does [Carrier] face any additional issues or hurdles in releasing security updates for such OS to consumers? If so please explain in detail.
- To what degree does [Carrier] know whether a consumer has installed a security update to address OS or Required Software security vulnerabilities? If [Carrier] does not engage in practices to monitor such information, does [Carrier] have the technical ability to do so?
- To [Carrier]’s knowledge, what entities are involved in the updating process (e.g., original equipment manufacturer (OEM), OS or Required Software vendor, other) and can any of those entities other than [Carrier] individually release security updates for the consumer directly? What legal, security, or other permissions are required from any involved entities and does obtaining those permissions cause delay in release? If [Carrier] provides updates to consumers, are security updates generally released to all consumers at once? If not, please describe the security update release process and how it might affect different consumers, including those who transfer their device to [Carrier]’s network.
- Are there instances where [Carrier] knows of a vulnerability to OS or Required Software but does not release a security update to consumers or otherwise make the security update available? If so, why and how does [Carrier] protect consumer security in such instances
In addition to general information, the FCC is also seeking specific information on the carrier response to the Android “Stagefright” security threat, which it said may affect nearly one billion devices globally.
Similarly, FTC said it has asked the device manufacturers to outline the factors they consider when deciding whether to patch a particular vulnerability and provide detailed data on the specific mobile devices they have offered for sale to consumers since August 2013 – including the vulnerabilities that have impacted those devices and whether and when the company has patched those weaknesses.
Both the FCC and FTC have given the companies 45 days to respond to their queries.
The FCC said responses to the information requests will be shared with the FTC and serve to “inform discussions” about potential solutions.
Filed Under: Industry regulations + certifications