FTC, FCC want to know more about how carriers and manufacturers issue security updates

By Dan Thorp-Lancaster
last updated

The Federal Communications Commission (FCC) and Federal Trade Commission (FTC) have embarked on a joint fact-finding mission of sorts to better understand how security is handled by mobile device manufacturers. As part of the joint inquiry, the FTC notes that it has issued orders to eight companies to gauge how each issues security updates. In all, the FTC's probe includes Apple, BlackBerry, Google, HTC, LG, Microsoft, Motorola, and Samsung.

While the FTC has opted to reach out to manufacturers, the FCC says that it is contacting carriers to better understand their role in the process. In its letter to carriers, the FCC states that its main concern is that there are "significant delays" in patching vulnerabilities on devices.

Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. Therefore, we appreciate efforts made by operating system providers, original equipment manufacturers, and mobile service providers to respond quickly to address vulnerabilities as they arise. We are concerned, however, that there are significant delays in delivering patches to actual devices—and that older devices may never be patched.

Of particular note is that the FCC specifically calls out the recent Stagefright Android vulnerability that gained quite a bit of attention in late 2015.

It's important to note that this appears to simply be a fact-finding mission for now, and the parties have 45 days to issue a response to the inquiry. If you're interested, you can also read the list of questions sent to carriers by the FCC.

Dan Thorp-Lancaster
Dan Thorp-Lancaster
43 Comments
  • I bet AT&T is sh*tting their pants right about now (along with Verizon).
  • for verizon it's easy. they don't.
  • Yeah, or how they fail to update. AT&T hasent released one for my Note 5 since February.
  • Angry line starts behind the Droid turbo 1 owners. Posted via the Android Central App
  • Got one on my Note 4 last week. How odd. AT&T Galaxy Note 4
  • I am sure AT&T will come with some reason as to why they delay the updates for the phones on their network. I think this can only be a good thing. Posted via the Android Central App
  • I would like to see what they have to say in response to the questions. I just read through them. A lot of great questions asked.
  • I doubt this will bother any US carriers. They'll forward the questions to their legal department, and the responses will be so filled with qualifiers and double-speak to be completely meaningless. I'm disturbed that the FCC letter to carrier says that they'll grant confidentiality to the responses. After reading the questions, I don't see ANY that would reveal any honest trade secrets. In fact, the responses (if answered honestly and in a straight forward manner) would only reveal significant aspects of customer relations that customers should have a right to know of.
  • It's not just the FCC that's involved. The FTC, which is tasked with protecting consumers, is also.
  • "20. Following expressions of public concern surrounding the Stagefright vulnerabilities, Google,
    Samsung, and LG committed to releasing monthly security updates for mobile devices. Has
    [Carrier] made a similar commitment to expedite the release of the monthly security updates as
    they become available? Have such monthly updates been made available and, if so, has [Carrier]
    begun to release those updates as they become available? How many have been made available
    and how many has [Carrier] released?" Oh man, I really want to hear AT&T's answer for this question. Watch them blame all OEMs for not sending AT&T the monthly updates.
  • Yeah, but what the FCC missed here is that Samsung and LG have both failed to meet their self-proclaimed commitment to release monthly security updates for mobile devices in regions and for models that are sold directly to customers.
  • FTC and FCC are only concerned for customer in the US. The respective equivalent agencies will have to look in other regions.
  • Or watch the carriers impose another Fee for giving you updates faster, a nice $20 a month additional fee to everyone will probably do, still get charged if your phone is considered out of date too
  • I only buy unlocked devices. I don't want to wait until Telus gets its stuff together. Posted via the Android Central App on my BlackBerry Passport
  • Good. Maybe they'll shame Motorola for abandoning the just-over-2.5-year-old first gen. Moto X. So many unpatched vulnerabilities on this phone right now.
  • Good,get all over verizon(and at&t). Posted via the Android Central App
  • Don't we all, don't we all..... Posted via the Android Central App
  • Perhaps an eventual action by the FTC and FCC is what it will take for updates to occur, or at a minimum, for patches to occur.
  • I want to see AT&T's answer for the questions. They suck in delivering updates. And for all platform. Whatever they carry. Had my flash s6 with the update files. OTA is still MIA Posted via the Android Central App
  • If their response is as slow as update process they will be in trouble. Posted via the Android Central App
  • Lol Posted via the Android Central App
  • #nexusmasterrace Posted via my glorious Nexus 6P
  • Did anyone hear about play music getting voice controls? Posted via the Android Central App
  • Wonder how AT&T is going to spin this? They have updates from manufacturers...and sit on them. They are a multi-billion dollar for-profit company. They have the manpower. Dis gon be good!
  • Well, um? huh, that , uh , you know, yeah, that thing, uh, uh. Gotta go.
  • Motorola and Verizon should be screwed by this but they won't be. Hands down a Moto phone on verizon is always the last to get any updates of any kind. Then comes Samsung.
  • Ok people pissed at bell about updates. Line up starts behind me. Maximum two complaints per lerson. Posted via the Android Central App
  • When it comes to Verizon, either not-even-close-to-fashionably late or not at all (as in never)!
  • Well I can tell you my Samsung Galaxy Note 4 on tmobile network is still on the November security update and I've made a stink about it and still nothing from neither Samsung or Tmobile one of them is looking at a class action lawsuit this is total BS Posted via the Android Central App
  • I've said before, it's going to take a major security lapse that costs end-users money - resulting in lawsuits - before the carriers change their obstructionist ways regarding updates. Even then, the carriers will do the absolute minimum to make it appear they are improving. We can only hope the FTC/FCC probe bypasses this painful lesson to evoke change any sooner. The carriers are deeply entrenched in the myth that they represent anything more than a dump-pipe for user to access networks. They will kick and scream every inch of the way,insisting that their security update obstructions are actually somehow for the betterment user experience of their users. The vast majority of their users just want a device to work, and don't know or recognize the risks of delayed security updates. Only after an attack costing users money, which exploits a long-patched security hole that the carriers failed to deploy, will the majority of users begin to pay attention and demand change. Sadly, it could be a painful lesson for many to learn, depending on the size of attack and what it costs the users to recover.
  • Wish something like this was addressed in UK. Do we have anything remotely similar to the FCC? Posted via the Android Central App
  • “Uh, well, you see, um, the reasons these updates werr delayed are......” *insert exponentially long wait time here* (I live by 3 words. fastboot flashing unlock)
  • ANY amount of government pressure on these POS OEMs and carriers for updates is appreciated. It's time they got their crappy acts together.
  • We all know it is Google, Android OEMs and Carriers who are the target of this probe. I guess Apple is being asked questions to find out how they've managed to get OS and security updates so right. 87.7% of all Android devices have not been patched for critical vulnerabilities going back 4 years and it takes 18 months for 20% of the world’s Android devices to be patched for just one critical vulnerability while the other 80% never get fully patched according to a multi-year study by Cambridge University. As a result, no matter how fast Google releases patches for these Android vulnerabilities, most Android devices will remain vulnerable to malicious exploits of that vulnerability for years.
    The upshot of this is that it is Android that had 32.8 million devices infected in 2012 alone by 65,557 different malware variants according to InQ Mobile. Cisco, F-Secure and Kaspersky all report that Android users are the targets of 97-99% of the mobile malware in the world. Symantec detected 9,839 cumulative Android malware variants in 2014. That year, it reported that an incredible 17% of Android apps were malware in disguise. This is why Android is called a "Toxic Malware HellStew". And only 7% of Android devices have got Android 6.0 Marshmallow, over half a year after it was released compared to 80% of iOS devices running iOS 9 which was released at the same time.
    It's past time that Google and their platform partners be called to account for Android’s abominable software and security update record.
  • I'm all for security updates, but wait- watch all the carriers find a way to add even more bloatware to your phone along with those updates. Posted via the Android Central App
  • Some OEM's and even carriers have been pretty good with security updates. That being said, security updates should come ASAP and not always wait for a large release tied into the OS. I like what Google and others to a limited extent are doing, but there is still room for improvement, especially for older devices. 
  • Here is a case where even the anti-government folks can agree - we need security updates! I hope the FCC opens this to public comments.. Time to stock up on popcorn and let the show begin. Posted via the Android Central App
  • Just ban carrier firmware and ugly logos and tell the carrier to be dumb pipes since they have no expertise messing up the OS. Especially useless Verizon. Posted via the Android Central App
  • I disagree. They have a lot of expertise messing up the OS.
  • I'm wondering how this will affect things. I can see the FCC or FTC forcing the manufacturers and carriers to comply with Google's security update schedule or face penalties, which could narrow the field of available phones a bit.
  • Good. If they can't keep it patched, they can't sell it. Posted via the Android Central App
  • Hopefully Australia's equivalents (ACMA and ACCC) follow suit (taking Telstra in particular to task since they seem to be the lagging carrier over here). Posted via my Nexus 5X
  • they should start with LG that does nothing at all.... Posted via the Android Central App