Tech by VICE

Federal Regulators Will Investigate Why Your Phone Doesn't Get Updates

The FCC and the FTC want phone makers to be better at giving users security updates.

by Lorenzo Franceschi-Bicchierai
May 9 2016, 6:09pm

How I feel when I don't get a security update. (Image: gorkem demir/Shutterstock)

If you have followed my epic quest looking for the most secure mobile phone out there, and you know a thing or two about cybersecurity, you know that updating your apps and operating system is one of the most crucial things you can do to protect yourself from hackers.

Now, federal regulators are finally starting to ask questions about this important issue to phone makers and cellphone carriers.

On Monday, the Federal Trade Association (FTC) ordered eight phone makers to answer a series of questions on how they handle security updates. The Federal Communications Commission (FCC) also launched its own, parallel inquiry into how mobile carriers deal with security updates.

"The problem isn't that consumers aren't installing updates, but rather, that updates simply aren't available."

The two probes come more than three years after the American Civil Liberties Union (ACLU) warned that Android's fragmented, messy update lifecycle was putting users at risk.

"The problem isn't that consumers aren't installing updates, but rather, that updates simply aren't available," Christopher Soghoian, the principal technologist at the ACLU wrote in a blog post in 2013, when the ACLU filed a complaint with the FTC.

Last summer, a series of bugs affecting up to one billion Android smartphones forced Google to institute mandatory monthly updates.

That was a good first step, but carriers and manufacturers are ultimately responsible for distributing those updates and patches to their devices, and the reality is that the majority of Android users in the world are running old, outdated, and potentially harmful software.

"As consumers and businesses turn to mobile broadband to conduct ever more of their daily activities, the safety of their communications and other personal information is directly related to the security of the devices they use," the FCC wrote in a press release. "Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered."

Among a long series of detailed questions, these are the main things that the FTC is asking Apple, Blackberry, Google, HTC, LG, Microsoft, Motorola, and Samsung:

-the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device;
-detailed data on the specific mobile devices they have offered for sale to consumers since August 2013;
-the vulnerabilities that have affected those devices; and
-whether and when the company patched such vulnerabilities.

The companies now have 45 days to send in a special report answering the FTC's questions and providing the documents required.

motherboard show
Tech news
information security
Internet Insecurity