The FCC and the FTC in the US have launched investigations in to how companies release their mobile security patches. The investigation is said to centre around how some companies review their security updates and then release them via OTA, while also looking in to the lack of consistency amongst device makers, as some receive security updates while others are left vulnerable.
While the FCC is getting in touch with US networks like AT&T, Verizon and Sprint, the FTC is getting in touch with device manufacturers to get their input on the state of mobile security and the process of putting out a patch.
It turns out that this is happening as the FCC is worried about OS-wide bugs, like Stagefright, which appeared on Android last year. While Google did put a patch out for several Android vulnerabilities, including Stagefright later in 2015, not every device has had the update and that lack of consistency is apparently what the FCC is worried about, according to The Verge.
The FCC’s official post on the matter reads:
“Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. To date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices—and that older devices may never be patched.”
KitGuru Says: It is true that some Android device makers are more concerned about security updates than others. I imagine there are still plenty of smartphones out there that haven’t had the Stagefright patch yet despite it being quite a dangerous bug. Do you guys think rules should be put in place for smartphone makers to ensure timely security updates for OS-wide problems? It would make sense for more smartphone makers to ensure their customers are secure.