Dear mobile device manufacturers and carriers: the US government has a lot of questions for you about how you’re protecting consumers from security vulnerabilities.
Earlier this week, the Federal Communications Commission (FCC) sent letters to mobile carriers seeking answers to questions about how they provide security updates to their customers.
At the same time, the Federal Trade Commission (FTC) is investigating the security update processes of eight mobile device manufacturers, including biggies Google, Apple, Samsung and HTC.
The FTC ordered the companies to respond to an exhaustively detailed questionnaire.
The FCC and FTC investigations into the issue of mobile security updates come nearly 10 months after a critical vulnerability in Android known as the Stagefright bug left 95% of Android devices – potentially 1 billion users – vulnerable to malicious media files.
The FCC’s statement on the inquiry noted that an “growing number of vulnerabilities” in mobile operating systems threaten the security and privacy of business and personal communications.
Yet the way mobile device manufacturers, OS providers and mobile carriers have responded to vulnerabilities can leave users unprotected “for long periods of time or even indefinitely,” the FCC said:
Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. To date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices – and that older devices may never be patched.
As Google announced in its second annual Android security report, released last month, about 30% of Android devices are running older versions of the OS that Google no longer supports with security updates.
Google began issuing monthly Android security updates, in August 2015, but only Google-manufactured Nexus devices get updates directly from Google.
Android is an open source OS, which allows carriers and mobile device OEMs to create their own custom versions of Android, and the vast majority of Android devices get security updates from the carriers, who may take months to push the updates out.
Apple’s security update process for iOS is tightly controlled by Apple, not the carriers, but its process for updating iDevices isn’t exactly transparent.
Other non-Android mobile device manufacturers, such as Microsoft and BlackBerry, have their own processes for issuing security updates.
How the mobile device makers decide which vulnerabilities to patch, and when, is precisely the kind of information the FTC is seeking in its order.
The FTC told the companies that it needs to explain which device models it supports with security updates, which models are no longer supported, how it determines which models receive the updates, and whether and how it communicates that information to consumers.
The FTC also demanded to know how the mobile device companies have responded to “each vulnerability that … could result in unauthorized code execution or compromise the confidentiality of consumer data.”
For each specific device model identified in response to Specification 5(A), please identify each vulnerability that has affected the specific device model that could result in unauthorized code execution or the compromise of the confidentiality of consumer data. Describe in detail the Company’s response to the vulnerability…
The mobile device makers have 45 days to respond to the FTC.
Mahhn
I’d like to know why the FCC isn’t pushing for encryption for all cell communication. Since ISMI catchers can be purchased or built for as little as $1,500 to $1500. Anyone can ease drop on anyone’s conversations that are not encrypted. Just do a search for ISMI catchers.
Paul Ducklin
Correct me if I am wrong: this isn’t really about encryption but about authentication. The loophole in GSM that allows a phone to authenticate with a bogus base station was removed in UMTS, the successor to GSM, which requires each side to verify the other…
…except that most networks and phones allow fallback to old-school GSM.
If there is a way to turn GSM support off on your phone then I am guessing that you might lose coverage more frequently (no fallback) but also be immune to this sort of interception (no fallback).
Mahhn
I haven’t seen a way to let a phone pick which Cell signal to connect to., not to say it doesn’t exist. While at a sec conf last year I was talking with a guy who was testing some ISMI catching software on his phone, we saw 2 real towers and 4 fakes.
Bill Mitchell
One answer would be to halt any sales of mobile phones by any manufacturer or mobile service provider until ALL bugs are patched. The idea that you probably have a phone that is not supported is just bad anyway you look at it. Consumers need better protection and deserve it.
Paul Adams
You will never know whether all bugs are patched, so you are stopping the sale of products that use software!
Paul Ducklin
I guess the OP meant “known bugs.”
Laurence Marks
Wish they would have contacted the “cookie-cutter” tablet manufacturers too. Those folks are even worse than the cell phone manufacturers and carriers.
Brian T. Nakamoto
It’d be nice if Apple added the last software updates available to the devices—particularly Macs—listed on their “Vintage and obsolete products” page.
https://support.apple.com/en-us/HT201624
I suppose one could back it out from the “Apple security updates” page…
https://support.apple.com/en-us/HT201222
Mistersaxon
That last paragraph though – “please provide a list of exploitable backdoor holes for us that we can compare to the ones we have discovered for ourselves and/or bought from commercial hacking firms”
Anonymous
Agree updates are essential. I have an Sony android phone that I have lost confidence in due to the updates issue – not sure I would purchase another android device. I have issues with Apples walled garden but at least regular updates appear.
Kenneth Porter
Require that phones be able to use 3rd party firmware, so we can keep getting updates from 3rd parties (like CyangenMod) when the original vendor (say, Verizon) has dropped support for an older phone.