- The best Korean beauty products for $15 or less 3 Years Ago
- PewDiePie’s reign as the No. 1 YouTuber seems to be over 3 Years Ago
- Amazon’s ‘Hanna’ miniseries offers a more conventional take on the teen spy thriller 3 Years Ago
- Conservative writer tweets about bombing a university after women are hired Today 10:16 AM
- YouTube star Ice Poseidon reportedly raided by FBI Today 10:11 AM
- Devin Nunes is threatening to sue more people who mock him on Twitter Today 10:10 AM
- The Economist faces blowback for asking if trans people should be sterilized Today 9:50 AM
- 8 doormats that we can’t believe actually exist Today 9:35 AM
- Why is political blog the Hill publishing op-eds by anti-LGBTQ hate groups? Today 9:16 AM
- A woman vice president? The 2020 men have some thoughts Today 9:00 AM
- 80 percent of Americans support reinstating net neutrality Today 8:38 AM
- Website secretly filmed 1,600 hotel guests for fetish live stream Today 8:18 AM
- The Holga 120N is the $40 camera you never knew you needed Today 8:13 AM
- Poster for ‘Once Upon a Time in Hollywood’ gets mercilessly roasted Today 7:18 AM
- How to steam March Madness 2019 for free Today 7:00 AM
FCC and FTC studying how mobile carriers and device makers issue security updates
The federal agencies want to know how quickly companies patch flaws that could put you at risk.
Federal regulators are asking wireless carriers and mobile device makers to explain how and when they issue security updates.
The announcement Monday from the Federal Communications Commission and the Federal Trade Commission represents increased regulatory attention to a persistent threat to mobile networks and the devices that use them.
“Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered,” the FCC said in a statement, noting also that older devices were often left out of the patching process, leaving them exposed.
The FCC’s announcement cited a particularly nasty Android vulnerability codenamed “Stagefright,” a flaw discovered in mid-2015 and described as one of the worst bugs in the operating system.
CTIA, a trade group representing wireless carriers, pushed back on widespread criticism that companies have been too slow in issuing updates.
“Customers’ security remains a top priority for wireless companies, and there is a very strong partnership among carriers, OS providers and OEMs,” John Marinho, the group’s vice president for technology and cybersecurity, said in a statement. “As soon as OS providers and OEMs release security updates that are thoroughly tested, carriers deploy and encourage all customers to take advantage of the updates to protect their devices and personal information from cyberthreats.”
The joint inquiry follows a much-discussed 60 Minutes report that shed new light on a security flaw in a core piece of the global cellphone network, known as Signaling System No. 7. By exploiting the flaw, hackers were able to intercept phone calls and text messages on the phone of Rep. Ted Lieu (D-Calif.), who participated in the segment to raise awareness of the problem.
“I applaud the FCC and FTC for working together to try to ensure our mobile devices are updated with the latest patches to defend against cybersecurity vulnerabilities,” Lieu said in a statement to the Daily Dot. “With technology rapidly integrating with every aspect of our lives, policymakers can no longer treat cybersecurity as a niche ‘silo’ issue to be handled by a lone federal agency or department. I hope other agencies, as well as Congress, follow this example to come together to address crucial issues like protecting encryption and fixing the SS7 vulnerability.”
An FCC spokesman did not respond to an email asking whether renewed attention to SS7 flaws had prompted the inquiry.
The FCC’s wireless bureau asked carriers to describe whether they monitor their customers’ installation of security updates; what “hurdles” they face in deploying updates; how unpatched devices might “impact or harm” their networks; and whether they tell people about bugs affecting devices on their networks.
The commission also asked carriers about software that they preload onto phones sold in their stores—a much-maligned tactic, known as “bloatware,” that carriers borrowed from PC makers—including whether carriers or manufacturers were responsible for those apps’ security status.
The FTC’s letters went to Apple, Blackberry, Google, HTC, LG, Microsoft, Motorola, and Samsung. Those companies are instructed to detail various aspects of their processes, including how they decide which products to patch; whether they have “written policies” governing the process; and what they tell customers about their devices’ update eligibility. They must also describe the vulnerabilities that have affected their products and explain whether they patched each one.
All of the companies have 45 days to file their reports with the two agencies.
Eric Geller is a politics reporter who focuses on cybersecurity, surveillance, encryption, and privacy. A former staff writer at the Daily Dot, Geller joined Politico in June 2016, where he's focused on policymaking at the White House, the Justice Department, the State Department, and the Commerce Department.