Regulators want answers on delayed security updates for smartphones

Regulators want answers on delayed security updates for smartphones
© Getty Images

Regulators have started scrutinizing smartphone makers and wireless carriers about how they issue software updates and patch security vulnerabilities. 

The Federal Trade Commission has ordered eight companies that make mobile devices, including Apple, Google, and Blackberry, to answer questions about how they patch security holes and what factors they consider when deciding when to issue an update. The FTC also wants a list of past security vulnerabilities.

ADVERTISEMENT

The Federal Communications Commission also sent letters to the major mobile phone carriers, such as Verizon and AT&T, to see what role they play in issuing device updates. 

“Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered,” FCC wireless chief Jon Wilkins wrote in a letter to the companies. 

The probe appears to be a reaction to a flaw in the Android smartphone operating system that was found last year called “Stagefright.” At the time, researchers said nearly 1 billion devices could be vulnerable to bad coding in video passed along through text message. 

Android, owned by Google, sends monthly notifications to device manufacturers on security issues. But it is up to device manufacturers and wireless carriers to actually issue those updates to customers. 

Phones running the Android operating system are seen as much more vulnerable to these kind of update delays because the open-source code is ued by a number of different smartphone makers. That is opposed to Apple, which manufacturers its devices and controls the operating system.

Apple says that 84 percent of its devices are using its latest iOS 9 software. Statistics show that only 7.5 percent devices running Android have the latest version of its software, called “Marshmallow.” 

“We appreciate efforts made by operating system providers, original equipment manufacturers, and mobile service providers to respond quickly to address vulnerabilities as they arise,” Wilkins wrote in the letter. “We are concerned, however, that there are significant delays in delivering patches to actual devices — and that older devices may never be patched.”

The American Civil Liberties Union in 2013 filed a complaint with the FTC against wireless carriers for selling millions of smartphones that never receive the necessary security updates. 

The announcement also comes amid a high-profile fight between Apple and the Justice Department over encryption. 

The Justice Department earlier this year dropped its lawsuit against Apple to force it to unlock a phone of the San Bernardino shooters after a third-party sold an exploit to the government to open the phone. 

The FBI has said it would not tell Apple about the software vulnerability because it does not have enough technical information about it. 

— Updated at 3:55 p.m.