- The creepy texts this woman received are eerily similar to Netflix’s ‘You’ Today 4:20 PM
- Roku defends decision to host InfoWars amid online backlash Today 4:04 PM
- Pump yourself up for ‘Game of Thrones’ season 8 with this masterfully edited hype video Today 2:35 PM
- NBC asked reporters not to call Steve King’s comments ‘racist’ Today 2:21 PM
- Disney files copyright claim on YouTuber’s Darth Vader film—and the creator is devastated Today 2:18 PM
- The ’10 Year Challenge’ isn’t as fun for trans people Today 1:25 PM
- New Nike shoes can be controlled from your smartphone Today 1:06 PM
- Cardi B. jumps on 10-year challenge with high school performance of Lady Gaga song Today 12:28 PM
- Parents, teachers cry foul over Verizon fee hike for popular education app Today 11:57 AM
- Conservative men are kicking and screaming about Gillette’s new toxic masculinity ad Today 11:23 AM
- Mysterio is hot now in the ‘Spider-Man: Far From Home’ trailer Today 10:53 AM
- Netflix hikes prices on all subscription plans Today 10:48 AM
- Ajit Pai is refusing to testify about cell phone tracking data Today 10:18 AM
- Murder is back on the menu with Netflix’s Ted Bundy documentary Today 9:53 AM
- Twitch star Alinity Divine accidentally displays d*ck pic on her stream Today 9:18 AM
FCC and FTC studying how mobile carriers and device makers issue security updates
The federal agencies want to know how quickly companies patch flaws that could put you at risk.
Federal regulators are asking wireless carriers and mobile device makers to explain how and when they issue security updates.
The announcement Monday from the Federal Communications Commission and the Federal Trade Commission represents increased regulatory attention to a persistent threat to mobile networks and the devices that use them.
“Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered,” the FCC said in a statement, noting also that older devices were often left out of the patching process, leaving them exposed.
The FCC’s announcement cited a particularly nasty Android vulnerability codenamed “Stagefright,” a flaw discovered in mid-2015 and described as one of the worst bugs in the operating system.
CTIA, a trade group representing wireless carriers, pushed back on widespread criticism that companies have been too slow in issuing updates.
“Customers’ security remains a top priority for wireless companies, and there is a very strong partnership among carriers, OS providers and OEMs,” John Marinho, the group’s vice president for technology and cybersecurity, said in a statement. “As soon as OS providers and OEMs release security updates that are thoroughly tested, carriers deploy and encourage all customers to take advantage of the updates to protect their devices and personal information from cyberthreats.”
The joint inquiry follows a much-discussed 60 Minutes report that shed new light on a security flaw in a core piece of the global cellphone network, known as Signaling System No. 7. By exploiting the flaw, hackers were able to intercept phone calls and text messages on the phone of Rep. Ted Lieu (D-Calif.), who participated in the segment to raise awareness of the problem.
“I applaud the FCC and FTC for working together to try to ensure our mobile devices are updated with the latest patches to defend against cybersecurity vulnerabilities,” Lieu said in a statement to the Daily Dot. “With technology rapidly integrating with every aspect of our lives, policymakers can no longer treat cybersecurity as a niche ‘silo’ issue to be handled by a lone federal agency or department. I hope other agencies, as well as Congress, follow this example to come together to address crucial issues like protecting encryption and fixing the SS7 vulnerability.”
An FCC spokesman did not respond to an email asking whether renewed attention to SS7 flaws had prompted the inquiry.
The FCC’s wireless bureau asked carriers to describe whether they monitor their customers’ installation of security updates; what “hurdles” they face in deploying updates; how unpatched devices might “impact or harm” their networks; and whether they tell people about bugs affecting devices on their networks.
The commission also asked carriers about software that they preload onto phones sold in their stores—a much-maligned tactic, known as “bloatware,” that carriers borrowed from PC makers—including whether carriers or manufacturers were responsible for those apps’ security status.
The FTC’s letters went to Apple, Blackberry, Google, HTC, LG, Microsoft, Motorola, and Samsung. Those companies are instructed to detail various aspects of their processes, including how they decide which products to patch; whether they have “written policies” governing the process; and what they tell customers about their devices’ update eligibility. They must also describe the vulnerabilities that have affected their products and explain whether they patched each one.
All of the companies have 45 days to file their reports with the two agencies.
Eric Geller is a politics reporter who focuses on cybersecurity, surveillance, encryption, and privacy. A former staff writer at the Daily Dot, Geller joined Politico in June 2016, where he's focused on policymaking at the White House, the Justice Department, the State Department, and the Commerce Department.