Feds to wireless firms: Can you move faster on security patches?

The FCC and FTC want wireless operators and mobile device makers to explain why it takes so long to roll out fixes to vulnerabilities for mobile devices.

Marguerite Reardon Former senior reporter
Marguerite Reardon started as a CNET News reporter in 2004, covering cellphone services, broadband, citywide Wi-Fi, the Net neutrality debate and the consolidation of the phone companies.
Marguerite Reardon
2 min read

So what's the holdup on security patches anyway?

Nate Ralph/CNET

US regulators want to know how mobile phone makers and wireless carriers handle security vulnerabilities and why fixes seem to take so long.

The Federal Communications Commission and the Federal Trade Commission on Monday sent letters to fourteen companies, asking for details about how they release security updates.

The FCC sent letters to the four major US carriers -- AT&T, Sprint, T-Mobile and Verizon -- as well as to US Cellular and Tracfone. Meanwhile, the FTC targeted eight mobile device and software makers, including Apple, Google, and Samsung. The FCC said the agencies are trying "to better understand, and ultimately to improve, the security of mobile devices."

As consumers and businesses use mobile devices more and more, the agencies say they're concerned that communications and personal user information may be left vulnerable if devices don't get needed security patches. Security holes left unpatched can let attackers run programs on any computing device, gain access to sensitive documents, monitor network traffic, listen to keyboard activity, turn on a Webcam or turn a device into a tool that launches attacks on other devices.

"There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user's device," the FCC said in its statement.

It specifically called out the "Stagefright" virus that affects devices running the Android operating system, which the agency says may affect almost 1 billion Android devices globally. "Stagefright" was discovered last July and it allows attackers to compromise an Android phone via text message. Several patches have been issued to deal with the issue, but the bug persists as attackers keep exploiting it in new ways.

The FCC said that even though operating system providers, equipment manufacturers and service providers have been responding to threats as they arise, millions of "consumers may be left unprotected, for long periods of time or even indefinitely" when the patches don't get to devices in a timely fashion. The agency points out that consumers with older devices are often at most risk, since their devices may never be patched.

CTIA, the wireless industry's lobbying group, defended the industry's efforts so far.

"Customers' security remains a top priority for wireless companies" John Marinho, vice president of technology and cybersecurity for CTIA. He added players in the industry work closely together to ensure consumers are protected, and as soon as companies release security updates that are thoroughly tested, carriers deploy them.