Federal regulators are asking wireless carriers and mobile device makers to explain how and when they issue security updates.
The announcement Monday from the Federal Communications Commission and the Federal Trade Commission represents increased regulatory attention to a persistent threat to mobile networks and the devices that use them.
“Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered,” the FCC said in a statement, noting also that older devices were often left out of the patching process, leaving them exposed.
The FCC’s announcement cited a particularly nasty Android vulnerability codenamed “Stagefright,” a flaw discovered in mid-2015 and described as one of the worst bugs in the operating system.
CTIA, a trade group representing wireless carriers, pushed back on widespread criticism that companies have been too slow in issuing updates.
“Customers’ security remains a top priority for wireless companies, and there is a very strong partnership among carriers, OS providers and OEMs,” John Marinho, the group’s vice president for technology and cybersecurity, said in a statement. “As soon as OS providers and OEMs release security updates that are thoroughly tested, carriers deploy and encourage all customers to take advantage of the updates to protect their devices and personal information from cyberthreats.”
The joint inquiry follows a much-discussed 60 Minutes report that shed new light on a security flaw in a core piece of the global cellphone network, known as Signaling System No. 7. By exploiting the flaw, hackers were able to intercept phone calls and text messages on the phone of Rep. Ted Lieu (D-Calif.), who participated in the segment to raise awareness of the problem.
“I applaud the FCC and FTC for working together to try to ensure our mobile devices are updated with the latest patches to defend against cybersecurity vulnerabilities,” Lieu said in a statement to the Daily Dot. “With technology rapidly integrating with every aspect of our lives, policymakers can no longer treat cybersecurity as a niche ‘silo’ issue to be handled by a lone federal agency or department. I hope other agencies, as well as Congress, follow this example to come together to address crucial issues like protecting encryption and fixing the SS7 vulnerability.”
An FCC spokesman did not respond to an email asking whether renewed attention to SS7 flaws had prompted the inquiry.
The FCC’s wireless bureau asked carriers to describe whether they monitor their customers’ installation of security updates; what “hurdles” they face in deploying updates; how unpatched devices might “impact or harm” their networks; and whether they tell people about bugs affecting devices on their networks.
The commission also asked carriers about software that they preload onto phones sold in their stores—a much-maligned tactic, known as “bloatware,” that carriers borrowed from PC makers—including whether carriers or manufacturers were responsible for those apps’ security status.
The FTC’s letters went to Apple, Blackberry, Google, HTC, LG, Microsoft, Motorola, and Samsung. Those companies are instructed to detail various aspects of their processes, including how they decide which products to patch; whether they have “written policies” governing the process; and what they tell customers about their devices’ update eligibility. They must also describe the vulnerabilities that have affected their products and explain whether they patched each one.
All of the companies have 45 days to file their reports with the two agencies.