Skip to main content

FTC, FCC want to know more about how carriers and manufacturers issue security updates

Touch ID sensors on multiple iPhones
Touch ID sensors on multiple iPhones (Image credit: iMore)

The Federal Communications Commission (FCC) and Federal Trade Commission (FTC) have embarked on a joint fact-finding mission of sorts to better understand how security is handled by mobile device manufacturers. As part of the joint inquiry, the FTC notes that it has issued orders to eight companies to gauge how each issues security updates. In all, the FTC's probe includes Apple, BlackBerry, Google, HTC, LG, Microsoft, Motorola, and Samsung.

While the FTC has opted to reach out to manufacturers, the FCC says that it is contacting carriers to better understand their role in the process. In its letter to carriers, the FCC states that its main concern is that there are "significant delays" in patching vulnerabilities on devices.

Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. Therefore, we appreciate efforts made by operating system providers, original equipment manufacturers, and mobile service providers to respond quickly to address vulnerabilities as they arise. We are concerned, however, that there are significant delays in delivering patches to actual devices—and that older devices may never be patched.

It's important to note that this appears to simply be a fact-finding mission for now, and the parties have 45 days to issue a response to the inquiry. If you're interested, you can also read the list of questions sent to carriers by the FCC.

  • It's possible the reason they want to understand it better is so they can learn how to push updates to. And they are selling it like they are improving security but they are actually weakening it. Or am I just a tad bit paranoid because that was my first thought on this. Sent from the iMore App
  • No, you're not paranoid. It's often been said that the biggest possible attack vector for any modern OS is the update mechanism.
  • Yes, you're paranoid. The amount of time it takes to get security updates to phones is way too long for many and there are too many steps along the way. This is a legitimate issue. All security patches should be able to be pushed directly to phones.
  • My first thought was they would like to be able to insert their own code, possibly as a means to allow warrantless access to anyone and everyone's smartphone.
  • I think it's more likely that users are complaining that android in the field has an abysmal update rate. IIRC, 90% of all patch able iOS devices (iPhone 4s/ipad2 and newer) are on the latest version of iOS. Whereas only 10% of android devices are on the latest. The difference being that handset and mobile carriers don't propagate android updates to users; this may be a strategy to conserve resources and encourage upgrades.
  • Oh most definitely. They figure that if they don't update their devices that it's a sure fire way to make people buy new devices. Sure, from a marketing standpoint it's pure genius since that keeps people forever on the upgrade treadmill but from a security standpoint it's horribly bad for users, their devices, and the security of the data they store on their devices. This is the chief reason why I went to the iPhone, why I defend the iPhone, and why I try and convince people who I know to convert to the iPhone. Apple stands by their users. It doesn't matter how old your device is, it will be supported and get iOS updates. It doesn't matter if it's a two year old phone, three years, or even four years old, it will get iOS updates. Two year old Android? More than two year old Android? Forget about it, fat chance of that happening. So yes, when it comes to the iPhone I will do what I can to convert as many people to the iPhone as I can. Apple stands by their users whereas the Android OEMs don't care one bit about you and your device past the point of you handing your money over to them; it's a done deal in their minds. The Android OEMs figure that they don't have to care about you anymore, they already have your money. Want software updates? Silly user, go buy a new device instead!
  • What I have always suggested is to ONLY release devices in pure form like Apple does with iOS, and Google does with the Nexus line. Bloatware from individual manufacturers and carriers, as UI customizations should be available through app stores if anyone wants them. Sure, some will say UI runned in vanilla aka pure form of a certain OS is boring, but is the only way to fix the gap between updates, and should make it mandatory to support a device a minimum of 30 to 36 months in order to reflect actual situation for the average smartphone owner who does not change devices once a year or more.
  • This is what Apple is Good at.
  • The update aren't even he only thing Apple is good at. The iOS experience is the most consistent out there. Sent from the iMore App