US regulators have launched an inquiry to discover how exactly iPhones and Android smartphone patches are distributed and whether consumers can find out if and when they’re available.
US telecoms regulator the Federal Communications Commission (FCC) and consumer watchdog the Federal Trade Commission (FTC) have launched a joint inquiry into the state of smartphone security. While the focus is on US carriers and US handset makers, the inquiry may have implications for consumers in other jurisdictions.
One of the main issues is how long and if ever end-user devices actually receive patches distributed by operating system (OS) vendors, and today that basically means Apple and Google for iOS and Android respectively.
The FCC highlights the Stagefright bugs discovered last July — which affected 95 percent of all Android devices and prompted Google, Samsung and LG into monthly security updates — as one of the motivations for launching the investigation.
One of the chief concerns are delays that it takes between the OS vendor creating patches to said patches reaching end-user devices.
“Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. To date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices—and that older devices may never be patched,” the FTC said in a statement.
The FTC has sent a set of questions about update practices to OS and device makers including Apple, Blackberry, Google, HTC America, LG Electronics USA, Microsoft, Motorola Mobility, and Samsung Electronics America.
The FCC has sent a separate set of questions to US carriers, including AT&T, Verizon, T-Mobile, Sprint, and U.S. Cellular, Tracfone Wireless, and T-Mobile US.
The companies have 45 days to respond to the respective orders by the FCC and FTC.
Google-backed research carried out by the UK's University of Cambridge last year found that nearly 90 percent of 20,000 Android devices in the study were exposed to at least one critical bug. The researchers blamed device makers rather than carriers for failing to distribute patches to end-user devices. In the US, carriers are often blamed for failing to deliver security updates.
The FTC wants to know what obstacles that carriers face in delivering updates to devices and where the blame lies for some devices not receiving patches.
When Google announced its monthly updates for Nexus Android devices, which Samsung said it would follow for select Galaxy devices, an HTC US exec said it would not commit to monthly updates, suggesting that carriers prioritised patches for larger vendors due to resource constraints on the carrier side. The exec also highlighted that patching unlocked devices, including Google’s Nexus devices, was different than carrier-specific devices.
The FCC asks carriers to explain in detail the circumstances behind a situation where mobile devices on a network run a modified OS that is unique to the network and whether the carrier is responsible for developing and providing the updates to users.
The FCC goes on to ask if carriers face hurdles in getting consumers to install updates and whether the carrier knows whether updates are actually installed.
It also asks whether the carrier is concerned if it knows whether consumers have installed updates and whether carriers offer consumers a website where they can check if their devices are up to date.
Finally, the FCC wants to find out whether carriers have made commitments in line with Google and Samsung to release monthly updates.