Feds probe mobile phone industry over the sad state of security updates

Enlarge (credit: Ron Amadeo)

For years, critics have bemoaned the sad state of security updates available to hundreds of millions of owners of mobile devices running Google's Android operating system. Now, federal regulators are investigating whether Google, Apple, and the rest of the players in the mobile industry are doing everything they can to keep their customers safe.

In a joint action, the Federal Communications Commission and the Federal Trade Commission are ordering mobile operating system developers, hardware manufacturers, and carriers to explain their rationale in deciding when to issue updates, or as is so often the case for Android users, why they don't provide updates. Two of the more glaring examples are a vulnerability dubbed Stagefright disclosed last year and another disclosed in March called Metaphor. Both allow attackers to surreptitiously execute malicious code on Android devices when they view a booby-trapped website.

"There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device and all the personal, sensitive data on it," Jon Wilkins, chief of the FCC's Wireless Telecommunications Bureau, wrote in a letter to carriers. "One of the most significant to date is a vulnerability in the Android component called 'Stagefright.' It may have the ability to affect close to 1 billion Android devices around the world. And there are many other vulnerabilities that could do just as much harm."

Read 5 remaining paragraphs | Comments