The FCC and FTC today asked carriers and phone manufacturers how they handle security updates for their devices.
The FCC sent letters to AT&T, Sprint, T-Mobile, Verizon Wireless, and other carriers, while the FTC queried Apple, Blackberry, Google, HTC, LG, Microsoft, Motorola, and Samsung. In particular, the agencies want to know: the factors carriers/OEMs consider in deciding whether to patch a vulnerability on a particular phone; data on the specific phones sold in the U.S. since August 2013; the vulnerabilities that have affected those devices; and whether and when the company patched such vulnerabilities.
The government said the line of inquiry is to help it further understand how these companies do or do not protect consumers.
“Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered,” said the FCC. “To date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices — and that older devices may never be patched.”
Google provides monthly security updates to Nexus-branded Android devices, but individual phone makers lag badly. Apple provides occasional updates.
