Skip to main content

FCC, FTC Push Mobile Carriers, Device Makers On Security Risks From Lack Of Updates

The “Stagefright” set of vulnerabilities, which affected almost a billion Android devices, got both the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) interested in how manufacturers update their devices to protect consumers against malware and hacking. The ACLU had already warned them about this issue three years ago.

Stagefright, The Catalyst For The Investigations

Google insisted in the beginning that the Stagefright vulnerabilities that allowed remote code execution weren’t so serious because of various built-in Android protections, but they were later discovered to be inadequate by the company’s own engineers. Google’s anti-malware service may help mitigate the issue to a certain degree, but like any antivirus-like product, it can only protect against vulnerabilities or exploits it already knows about. Therefore such a solution is not a proper long-term fix.

Google also ended up overhauling the mediaserver library for the next version of Android (N) so that it’s split into multiple sandboxed components with less access to system resources. Additionally, it started sanitizing the code to eliminate most integer overflow bugs, which were the main cause for the Stagefright vulnerabilities.

Regardless of these changes, the FCC and FTC have started parallel investigations into the device update problem, that were perhaps long overdue. The FCC sent a letter to the carriers asking about the update process, while the FTC asked eight companies, including Apple, Blackberry, Google, HTC, LG, Microsoft, Motorola, and Samsung, to provide the following information about how their update processes go:

The factors that they consider in deciding whether to patch a vulnerability on a particular mobile deviceDetailed data on the specific mobile devices they have offered for sale to consumers since August 2013The vulnerabilities that have affected those devicesAnd whether and when the company patched such vulnerabilities.

The FCC also had this to say about the whole update problem, which affects especially the Android ecosystem:

“As consumers and businesses turn to mobile broadband to conduct ever more of their daily activities, the safety of their communications and other personal information is directly related to the security of the devices they use. There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device, including 'Stagefright' in the Android operating system, which may affect almost 1 billion Android devices globally. Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. To date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices—and that older devices may never be patched,” said the FCC in its official announcement.

The FCC and the FTC seem to have finally realized that Android's update problem is a big issue for consumers, but only after a security vulnerability impacted one billion devices arrived--a vulnerability that will remain unfixed for most Android users. This might've have been prevented if the FTC would've listened to ACLU's complaint about Android updates three years ago.

"In a 16-page complaint filed with the FTC, we argue that the major wireless carriers have engaged in 'unfair and deceptive business practices' by failing to warn their customers about known, unpatched security flaws in the mobile devices sold by the companies, said Chris Soghoian, Principal Technologist and Senior Policy Analyst at the ACLU, in a post in 2013.

The ACLU also argued that if the carriers aren't going to provide updates, they should at a minimum be forced to refund consumers and allow them to terminate their contracts with no penalty so they can switch to a provider who will offer those updates.

How We Got Here And How To Fix It

Most devices tend to get updates for a short period of time after they are sold, and those updates become even more rare as you move down the pricing ranges.

The problem is that cheaper devices also tend to be used by a larger proportion of the population, which means most people will have devices that are insecure almost from the day they buy them until the end of their lifetime.

The lifetime of the device is also not necessarily the lifetime of a carrier contract, because people either use their devices longer than that or give them to others, which could easily double a typical contract period. However, even updating for the entire lifetime of a contract or the device’s warranty would be a good start for the majority of devices out there.

Samsung was sued earlier this year by the consumer protection watchdog in Netherlands because 82 percent of its devices weren’t receiving any updates in their second year of life, even though all devices have a mandatory warranty of at least two years in the EU. The lawsuit intends to force Samsung, as well as other device manufacturers, to update their products for at least the warranty period, if not longer.

With the arrival of the Internet of Things, which most experts consider a security nightmare, these sort of policies or regulations are only going to become more necessary. Companies shouldn’t sell devices that they can’t patch against malware and hacking for the majority of their lifetimes as they are used by consumers.

This could also give manufacturers the incentive to adopt stronger security by design in their devices and software, as that would mean a smaller support cost over the long run. However, until clear standards are in place for how updates should be delivered, it’s likely that no manufacturer (or few of them) would begin to support all of their devices for much longer, while their competitors can cut corners selling cheaper but less safe devices.

Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu. 

Follow us on FacebookGoogle+, RSS, Twitter and YouTube.

Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • hoofhearted
    Maybe this forces carriers to unmarry themselves from devices and sell service only, which would allow for cleaner competition.
    Reply
  • targetdrone
    Unless there is a fundamental change to the android ecosystem this is never going to be fixed. Google says they fear version forking yet the very nature of Android is forked between custom Android version between manufactures, models,and then carriers.
    Reply
  • tom10167
    Here's an idea, give us the updates we want, instead of wasting time on crap not one person on earth needs or has ever asked for, like AT&T2Go, AT&T SmartLimits, AT&D Device Manager, AT&T Mobile Locate *breath* AT&T Live, AT&T Locker, AT&T Navigator, AT&T Contact Manager.
    Reply
  • ddpruitt
    Let's face it, this is a way bigger problem than just smartphones. Most companies don't care much about a device past the point the sold it. Phones in general have problems because a company is more interested in pushing it's own paid services than a secure device. But the same thing happens for pretty much any other consumer level device. Think about routers, modems, security systems, and everything else. Most of these systems would be easy to update if manufacturers put a little bit of effort into software design, all it takes is folding in upstream changes.

    Most consumers aren't aware of and don't care about security until something happens to them. Unless companies are forced to deal with security through regulation nothing will change.
    Reply
  • targetdrone
    It's going to get worse as more stupid engineers network things that have no reason to be network.

    The Internet of Things will be the death of us. :(
    Reply
  • coolitic
    FCC doesn't seem really capable of getting things done.
    Reply
  • ravewulf
    My Galaxy S5 is still on Android 5.0, not even 5.0.1. It's ridiculous that OS updates have to go through Samsung AND Verizon (my carrier) before I get them.
    Reply
  • razor512
    They need to also focus on getting router makers to provide better support for 3rd party firmware. The majority of routers which were vulnerable to the netUSB exploit, have still not received a patch.

    Routers are even worst than smartphones when it comes to updates. Most stop receiving updates within 6 months of release, and with many being locked down to a point where you cannot install tomato, dd-wrt, or openwrt, they quickly become a security risk.
    Reply
  • gggplaya
    My Galaxy S5 is still on Android 5.0, not even 5.0.1. It's ridiculous that OS updates have to go through Samsung AND Verizon (my carrier) before I get them.
    Maybe you should get an iPhone or buy a google nexus phone. Updates come right away, and long after the carrier stops selling them.
    Reply
  • targetdrone
    My Galaxy S5 is still on Android 5.0, not even 5.0.1. It's ridiculous that OS updates have to go through Samsung AND Verizon (my carrier) before I get them.
    Maybe you should get an iPhone or buy a google nexus phone. Updates come right away, and long after the carrier stops selling them.

    I'll consider a Google Nexus when Google adds a mSDHC slot.
    Reply