FTC, FCC launch inquiry into how companies distribute security fixes to mobile devices

The Federal Communications Commission and the Federal Trade Commission announced today that they are teaming up for an inquiry into how security updates to smartphones and other mobile devices are released in the United States.

One of the inquiry’s main concerns is the amount of time it takes for security fixes to be released to users. In a statement, the FCC said:

Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. To date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices—and that older devices may never be patched.

The FCC and FTC have sent letters to mobile carriers and eight mobile device manufacturers to ask them how they screen and release security updates for mobile devices.

A FCC representative told Bloomberg that the carriers are AT&T, Verizon*, T-Mobile, Sprint, U.S. Cellular Corp., and TracFone Wireless. The eight device makers are Apple, Google, BlackBerry, HTC America, LG Electronics USA, Microsoft, Motorola Mobility, and Samsung Electronics America.

Each company was asked to list all devices they have offered for sale in the U.S. since August 2013, what security flaws are associated with them, and if fixes have been distributed to users.

The FCC’s statement specifically mentioned Stagefright, an Android bug discovered by security researchers last year, as an example of the “growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device.”

Stagefright was especially alarming because it allowed hackers to override Android security with a modified video message, giving them almost complete access to a device’s storage, camera, and microphone. Furthermore, it took several security patch releases to deal with Stagefright and its successor, Stagefright 2.0.

*Verizon owns AOL, which in turn owns TechCrunch