The Obama administration is looking to crack down on glaring holes in the security of cell phones.
In letters to the country’s major cell phone manufacturers and wireless networks, the Federal Trade Commission and the FCC said they want to better understand how phones get security updates.
The regulators said they are “concerned” about how quickly cell phone updates are issued once a bug is found. They were also worried about the fact that some people are left out of updates.
“Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered,” the FCC and FTC said in a joint statement. “There are significant delays in delivering patches to actual devices — and older devices may never be patched.”
Apple and Google, in addition to Samsung, Microsoft, HTC, Motorola, LG and BlackBerry, received letters of inquiry from the FTC. Meanwhile, the FCC sent letters to Verizon, AT&T, T-Mobile and Sprint, along with smaller carriers U.S. Cellular and TracFone.
Bugs are a fact of life. No matter how careful companies are when creating their software, there are always going to be a way for hackers to get in. That’s why apps frequently push out updates: so that hackers can’t take advantage of major vulnerabilities.
But operating systems are more difficult to update than apps. They need to be thoroughly tested — a mistake could turn someone’s phone into a brick. And they need to be coordinated with the various wireless companies, so that the carriers can prepare for millions of people to upgrade simultaneously.
That complicated process has led to slow upgrades for millions of smartphone customers, sometimes long after a vulnerability has been exposed.
Though Apple tends to have a better reputation for security than Google, it is notoriously slow at delivering security patches to iPhone customers. Its updates come much faster than Android updates, but they’re often missing crucial bug fixes.
For example, Apple has failed to fix a major vulnerability that allows hackers to break into nearby iPhones using the AirDrop feature. The bug has been around since iOS 8.
A spokesman for Apple did not respond to a request for comment.
Android’s vulnerabilities are potentially worse than the iPhone’s. And Google is largely powerless to fix Android’s problems, because each Android smartphone manufacturer has to release its own special update that plays nicely with its modified version of the operating system.
About 30% of Android phones currently in use don’t receive any security patches, according to Google.
That’s a huge problem when bugs like the nasty “Stagefright” vulnerability exist. Stagefright affects nearly 1 billion Android devices around the world, giving attackers the ability to get inside practically any Android phone without the owner knowing it.
The good news is that there are no known attacks that have taken advantage of Stagefright — or most other smartphone vulnerabilities. Google said.
But regulators are right to be concerned. Just because a bug hasn’t been exploited doesn’t mean it won’t be.
The PC industry shows there can be a better way. For instance, Microsoft continued to support Windows XP 13 years after it debuted with weekly security fixes. Meanwhile, there are some one-year old smartphones that no longer receive updates, including serious security patches.
There are technical issues that make the weekly security patches of PCs difficult to achieve on smartphones, including bandwidth constraints and carrier relationships.
But it’s a problem worth solving: the current state of affairs is making us all less safe.