The FCC and FTC are demanding information from wireless carriers and device manufacturers on their processes for developing and deploying security updates, including whether carriers delay updates for operating systems with known vulnerabilities or stop offering patches for older versions of an OS.
The letter from the FCC went to all of the major United States mobile carriers. In it, FCC Wireless Telecommunications Bureau Chief Jon Wilkins expressed concern about the how quickly carriers develop and released security updates for devices on their network.
“Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. Therefore, we appreciate efforts made by operating system providers, original equipment manufacturers, and mobile service providers to respond quickly to address vulnerabilities as they arise. We are concerned, however, that there are significant delays in delivering patches to actual devices—and that older devices may never be patched,” the letter says.
The issue of delayed or non-existent security updates is especially acute in the Android ecosystem. In the U.S., carriers are responsible for issuing security patches to their customers and many of them have adopted a practice of not issuing updates, especially for older devices. The preference is for consumers to buy new devices with the latest version of Android. Google, which runs the Android Open Source Project, releases monthly security fixes for the operating system, which the company sends to customers on its Nexus devices. But for users of other devices, it’s up to the carrier to release fixes.
In addition to the FCC’s questions, the FTC also has sent an order to device manufacturers, including Apple, Google, Samsung, BlackBerry, HTC, and Microsoft, asking for information on their security update processes. The questions are similar to the ones asked by the FCC, and the FTC is requiring manufacturers to respond by the middle of June.
The series of questions sent by the FCC to the carriers includes queries about circumstances in which they might not release a patch right away.
“Are there instances where [Carrier] knows of a vulnerability to OS or Required Software but does not release a security update to consumers or otherwise make the security update available? If so, why and how does [Carrier] protect consumer security in such instances?” the questions attached to Wilkins’ letter say.
The letter also asks several specific questions about the Stagefright vulnerability and the carrier’s response to it. Stage fright is one of the more serious and widespread vulnerabilities to affect Android, and specifically allowed an attacker to gain code execution on vulnerable devices by sending a malicious MMS message. The bug affected hundreds of millions of devices, and in the aftermath of the disclosure in 2015, Google, LG, and Samsung all said they would begin releasing regular security updates for Android devices. In his letter, Wilkins asks whether other carriers have done the same.
“Has [Carrier] made a similar commitment to expedite the release of the monthly security updates as they become available? Have such monthly updates been made available and, if so, has [Carrier] begun to release those updates as they become available? How many have been made available and how many has [Carrier] released?” the letter asks.
Security researchers have pointed out the Android update process as one of the weaker links in the mobile security ecosystem. For iPhone users, Apple releases updates to users directly and all at the same time. The updates are fairly regularly scheduled and Apple notifies users when an update is available on their devices.
Wilkins also asks in his letter whether carriers have the ability to monitor how many users have installed a given security update, and if so, does it use that capability.