Change May Be on the Horizon for Mobile Security Updates
Will scrutiny from government agencies catalyze changes to mobile phone security updates?
The phone you carry in your pocket today is more powerful than most of the computers that sat on desktops and in data centers just a few years ago. The capabilities and features modern smartphones possess make them incredibly powerful tools and highly attractive targets for attackers, who are always looking for new ways to get to user data. As users have shifted more of their daily computing to their phones, attackers and security researchers have followed suit, finding a steady stream of security vulnerabilities in mobile operating systems.
Unfortunately, the vendors and carriers who control the production and distribution of security updates haven’t always been as quick to get those patches out. The government has begun to take notice of this inequity, and the FTC and FCC have sent letters to mobile device vendors and carriers, respectively, asking for information about how they develop patches, how those fixes are distributed to consumers, and, importantly, why there are sometimes delays in pushing updates for known vulnerabilities. The agencies do not mince words in the letters, asking whether there are instances when carriers and vendors deliberately delay patches and why some carriers and manufacturers don’t have regular patch release cycles.
“Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. Therefore, we appreciate efforts made by operating system providers, original equipment manufacturers, and mobile service providers to respond quickly to address vulnerabilities as they arise. We are concerned, however, that there are significant delays in delivering patches to actual devices—and that older devices may never be patched,” the letter from FCC Wireless Telecommunications Bureau Chief Jon Wilkins says.
The implications of the agencies’ demands are far-reaching, especially for Android device manufacturers and the carriers who sell Android devices. While Apple releases patches on a semi-regular schedule and pushes them out to all iPhone and iPad users at the same time, Android security updates are controlled by the carriers for the most part. And with the way that mobile contracts are structured, carriers are motivated to have consumers buy new devices on a regular basis rather than to give them updates for the software on their existing devices. Google, who controls the Android code base, issues monthly patches for the operating system and pushes them out to users of its Nexus devices, and some other manufacturers, including LG and Samsung, have regular updates, as well. But it’s not the industry standard, and the FTC and FCC want to know why.
Android has been hit by a series of fairly major vulnerabilities in the last couple of years, the most serious of which was the Stagefright bug disclosed in 2015. That vulnerability affected more than a billion devices and gave attackers the ability to run arbitrary code on vulnerable phones. Some carriers responded more quickly than others to the Stagefright disclosure, and the FCC is interested in finding out whether carriers delay security updates for known flaws.
“Are there instances where [Carrier] knows of a vulnerability to OS or Required Software but does not release a security update to consumers or otherwise make the security update available? If so, why and how does [Carrier] protect consumer security in such instances?” the questions in Wilkins’ letter say.
At the same time, the FTC is looking for information from Microsoft, Apple, Google, and other device makers on their update processes. The interest from the federal government in this issues has been a long time coming, as security experts have been pointing to mobile updates as a problem for years. What the agencies do with the data they get back from the carriers and device manufacturers remains to be seen, but the fact that they are looking at the process is a good sign for users, who remain at the mercy of carriers and manufacturers for patches.