The U.S. Federal Trade Commission (FTC) and the U.S. Communications Commission (FCC) have launched a joint effort to understand the processes by wireless service providers (e.g., AT&T, Verizon Wireless, T-Mobile, Sprint, etc.) to review and distribute security updates to users' mobile devices. Also:
"... the FTC has ordered eight mobile device manufacturers to provide the agency with information about how they issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices."
The FCC announcement cited malware as a key reason for the agencies' joint action:
"There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device, including “Stagefright” in the Android operating system, which may affect almost 1 billion Android devices globally."
Usually, a consumer has to open a file attached to a text message or email for their computer to get infected. Not so with Stagefright. ZDNet explained just how nasty this malware is for mobile devices without security updates:
"Then, there's Stagefright. With malware based on this security hole all you need to do is to get a text on your unpatched Android device, and, bang, you're hacked. Stagefright can attack any Android smartphone, tablet, or other device running Android 2.2 or higher... Stagefright holds up your device by being sent to you as a multimedia text message... The really sneaky part is you don't need to watch the [attached video]. If you're using Google's Hangouts app, you don't even need to open your text message app. All the attacker needs to do is send a poisoned package to your phone number. It then opens up your device, and the attack starts. This can happen so fast that by the time your phone alerts you that a message has arrived, you've already been hacked."
The letter from the FCC to wireless service providers:
"May 9, 2016
As you know, one of the Commission’s top priorities is the promotion of safety and security of communications. This is a priority that is shared by our colleagues at the Federal Trade Commission (FTC).
As our nation’s consumers and businesses turn to mobile broadband to conduct ever more of their daily activities, from the most sensitive to the most trivial, the safety and security and their communications and other personal information is directly related to the security of the devices they use.
There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device and all the personal, sensitive data on it. One of the most significant to date is a vulnerability in the Android component called “Stagefright.” It may have the ability to affect close to 1 billion Android devices around the world. And there are many other vulnerabilities that could do just as much harm.
Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. Therefore, we appreciate efforts made by operating system providers, original equipment manufacturers, and mobile service providers to respond quickly to address vulnerabilities as they arise. We are concerned, however, that there are significant delays in delivering patches to actual devices—and that older devices may never be patched.
In partnership with the FTC, we have launched a joint effort to better understand, and ultimately to improve, the mobile security “ecosystem.” The FCC is contacting the service provider community to better understand the role that they play in ensuring the security of mobile devices. The FTC is separately seeking information from operating system providers and original equipment manufacturers. We hope that the efforts of our two agencies will lead to a greater understanding of what is being done today to address mobile device vulnerabilities—and what can be done to improve mobile device consumer safety and security in the future.
As a first step, I request that you provide us with your detailed responses within forty-five (45) days of the date of this letter. If you request confidential treatment for your responses, your responses will be treated confidentially (see 47 CFR § 0.459(d)(3)) but please be aware that we intend to share all responses with the FTC, as we are permitted to do pursuant to 44 U.S.C. § 3510, and we ask that you state in your response, pursuant to 47 CFR § 0.442, that you do not oppose such disclosure.
Once we receive your responses, we look forward to meeting with your representatives to review your answers and learn your perspectives on possible next steps. Should you have any questions, please feel free to contact Charles Mathias on my staff. Thank you in advance for help in this important undertaking.
Wireless Telecommunications Bureau
Federal Communications Commission"
The specific questions the FCC and FTC seek responses to:
1. Does [Carrier] face issues or hurdles in releasing security updates for operating systems (OS) to consumers? If so, please explain in detail.
2. Do any mobile devices on [Carrier]’s network run an OS that is modified for or is unique to [Carrier] and if so, what percent of the devices on [Carrier]’s network do they represent? With respect to such OS, is [Carrier] responsible for developing and providing security updates? Does [Carrier] face any additional issues or hurdles in releasing security updates for such OS to consumers? If so please explain in detail.
3. Similarly, are there devices intended for deployment on [Carrier]’s network that have been loaded at [Carrier]’s direction with special software beyond the OS or applications to monitor device or network performance or similar metrics (Required Software)? With respect to such Required Software, is [Carrier] responsible for developing and providing security updates? Does [Carrier] face issues or hurdles in releasing security updates for Required Software to consumers, regardless of who is responsible for developing such updates?
4. Does [Carrier] face particular issues or hurdles in getting consumers to install updates for either a modified OS or Required Software on mobile devices as they are made available?
5. To what degree does [Carrier] know whether a consumer has installed a security update to address OS or Required Software security vulnerabilities? If [Carrier] does not engage in practices to monitor such information, does [Carrier] have the technical ability to do so?
6. To the extent that [Carrier] does not know whether individual consumers have installed updates to address security vulnerabilities in an OS or Required Software, is [Carrier] concerned about this lack of knowledge?
7. Could un-patched, non-updated devices on [Carrier]’s network impact or harm the functionality of that network or [Carrier]’s ability to provide effective service to other consumers who have patched and installed security updates on their devices?
Development and Release of Security Updates Questions
8. To [Carrier]’s knowledge, what entities are involved in the updating process (e.g., original equipment manufacturer (OEM), OS or Required Software vendor, other) and can any of those entities other than [Carrier] individually release security updates for the consumer directly? What legal, security, or other permissions are required from any involved entities and does obtaining those permissions cause delay in release? If [Carrier] provides updates to consumers, are security updates generally released to all consumers at once? If not, please describe the security update release process and how it might affect different consumers, including those who transfer their device to [Carrier]’s network.
9. Do any of these answers differ for devices running different operating systems (e.g., Android, Windows, iOS, CyanogenMod, Blackberry, etc.)? If so, describe in detail. Is the process different for devices that are ported to [Carrier]’s network? If so, describe in detail.
10. As a general matter, are security updates that have been made available or provided to [Carrier] by an OEM or OS or Required Software vendor in response to an identified security vulnerability regularly reviewed and/or released by [Carrier]? If so, how long does this process take? If not, please explain.
11. What considerations does [Carrier] generally take into account when determining the prioritization and timing of release of a security update (i.e., severity of vulnerability, whether it can be rolled into another planned update, etc.)?
12. What data does [Carrier] maintain about security updates that have been made available to [Carrier] and the actions [Carrier] has taken in response?
13. Does [Carrier] provide updates to consumers with vulnerabilities on their mobile devices or make available a website where consumers can easily check the vulnerability status of their device and download required patches? If so, what are the steps and typical time frames from the discovery of a vulnerability to the consumer receiving an update that resolves the vulnerability—or making that vulnerability available for download?
14. Are there instances where [Carrier] knows of a vulnerability to OS or Required Software but does not release a security update to consumers or otherwise make the security update available? If so, why and how does [Carrier] protect consumer security in such instances?
15. Does [Carrier] discontinue security update support for mobile devices? How does [Carrier] decide when to discontinue security update support? Are consumers notified at the time of sale how long security updates will be provided or supported for their device by [Carrier]? Are consumers notified when security updates to their mobile devices are no longer supported? What are consumers’ options for protecting themselves against security vulnerabilities after such discontinuance by [Carrier]?
16. What information or notices regarding security update support does [Carrier] provide to customers who port or bring their device when they sign up for [Carrier]’s service?
17. When and how did [Carrier] first become aware of vulnerabilities in the Android libstagefright library (commonly known as Stagefright)?
18. How many models of mobile devices on [Carrier]’s network were or might/could have been impacted by Stagefright vulnerabilities? 19. How many models of mobile devices on [Carrier]’s network remain vulnerable to the Stagefright vulnerabilities? Approximately how many such devices remain active on the network? How many of these devices have a customized OS provided by the [Carrier]?
20. Following expressions of public concern surrounding the Stagefright vulnerabilities, Google, Samsung, and LG committed to releasing monthly security updates for mobile devices. Has [Carrier] made a similar commitment to expedite the release of the monthly security updates as they become available? Have such monthly updates been made available and, if so, has [Carrier] begun to release those updates as they become available? How many have been made available and how many has [Carrier] released?"
It will be interesting to see which companies respond in a timely manner with complete responses, which procrastinate or provide obtuse responses, and which refuse to respond.
The agencies' joint action is good news for both consumers and employers. Many consumers have mobile devices that never receive security updates. Many employers have bring-your-own-device (BYOD) policies, which allow their employees to use personal devices for both personal and company business.
Everyone wants secure mobile devices. Everyone needs secure mobile devices.