- Where did Jon Snow go? Unpacking the ‘Game of Thrones’ ending 3 Years Ago
- So, did anyone actually win ‘Game of Thrones’? 3 Years Ago
- The surprising religious subtext of ‘John Wick: Chapter 3’ Today 12:53 PM
- Robin Arryn got hot—and the internet is seriously shook Today 12:40 PM
- Tana Mongeau is going to VidCon a year after TanaCon disaster Today 12:12 PM
- What have 2020 Democrats said about Alabama’s abortion ban? Today 11:36 AM
- People keep throwing milkshakes at the U.K.’s far-right politicians Today 11:10 AM
- James Charles is rebounding from his YouTube scandal—and his mentor is paying the price Today 10:42 AM
- Conservatives accuse Pete Buttigieg of wanting to tear down Jefferson Memorial Today 10:28 AM
- Graduating Moorehouse students thank billionaire for vowing to pay off $40m in student debt Today 10:22 AM
- ‘Westworld’ season 3 trailer gives us a new world, Aaron Paul Today 10:17 AM
- Twitch streamer says she’s receiving backlash for ‘getting men banned’ Today 9:27 AM
- ‘Game of Thrones’ fulfilled a twisted version of its biggest prophecy Today 8:17 AM
- Minions memes are more popular than the far-right on Telegram Today 7:35 AM
- ‘Best of Nextdoor’ reveals the true insanity of modern life Today 7:30 AM
FCC and FTC studying how mobile carriers and device makers issue security updates
The federal agencies want to know how quickly companies patch flaws that could put you at risk.
Federal regulators are asking wireless carriers and mobile device makers to explain how and when they issue security updates.
The announcement Monday from the Federal Communications Commission and the Federal Trade Commission represents increased regulatory attention to a persistent threat to mobile networks and the devices that use them.
“Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered,” the FCC said in a statement, noting also that older devices were often left out of the patching process, leaving them exposed.
The FCC’s announcement cited a particularly nasty Android vulnerability codenamed “Stagefright,” a flaw discovered in mid-2015 and described as one of the worst bugs in the operating system.
CTIA, a trade group representing wireless carriers, pushed back on widespread criticism that companies have been too slow in issuing updates.
“Customers’ security remains a top priority for wireless companies, and there is a very strong partnership among carriers, OS providers and OEMs,” John Marinho, the group’s vice president for technology and cybersecurity, said in a statement. “As soon as OS providers and OEMs release security updates that are thoroughly tested, carriers deploy and encourage all customers to take advantage of the updates to protect their devices and personal information from cyberthreats.”
The joint inquiry follows a much-discussed 60 Minutes report that shed new light on a security flaw in a core piece of the global cellphone network, known as Signaling System No. 7. By exploiting the flaw, hackers were able to intercept phone calls and text messages on the phone of Rep. Ted Lieu (D-Calif.), who participated in the segment to raise awareness of the problem.
“I applaud the FCC and FTC for working together to try to ensure our mobile devices are updated with the latest patches to defend against cybersecurity vulnerabilities,” Lieu said in a statement to the Daily Dot. “With technology rapidly integrating with every aspect of our lives, policymakers can no longer treat cybersecurity as a niche ‘silo’ issue to be handled by a lone federal agency or department. I hope other agencies, as well as Congress, follow this example to come together to address crucial issues like protecting encryption and fixing the SS7 vulnerability.”
An FCC spokesman did not respond to an email asking whether renewed attention to SS7 flaws had prompted the inquiry.
The FCC’s wireless bureau asked carriers to describe whether they monitor their customers’ installation of security updates; what “hurdles” they face in deploying updates; how unpatched devices might “impact or harm” their networks; and whether they tell people about bugs affecting devices on their networks.
The commission also asked carriers about software that they preload onto phones sold in their stores—a much-maligned tactic, known as “bloatware,” that carriers borrowed from PC makers—including whether carriers or manufacturers were responsible for those apps’ security status.
The FTC’s letters went to Apple, Blackberry, Google, HTC, LG, Microsoft, Motorola, and Samsung. Those companies are instructed to detail various aspects of their processes, including how they decide which products to patch; whether they have “written policies” governing the process; and what they tell customers about their devices’ update eligibility. They must also describe the vulnerabilities that have affected their products and explain whether they patched each one.
All of the companies have 45 days to file their reports with the two agencies.
Eric Geller is a politics reporter who focuses on cybersecurity, surveillance, encryption, and privacy. A former staff writer at the Daily Dot, Geller joined Politico in June 2016, where he's focused on policymaking at the White House, the Justice Department, the State Department, and the Commerce Department.