June 21, 2016 By Christophe Veltsos 3 min read

On May 9, 2016, the U.S. Federal Trade Commission (FTC) announced that it had issued an order to eight mobile device manufacturers to produce information on “how they issue security updates to address vulnerabilities in smartphones, tablets and other mobile devices.”

The accompanying Order to File a Special Report compels manufacturers to report on their security update practices and policies for mobile devices. This is not the first time that the FTC has used this mechanism to compel companies to provide transparency into their security-related practices. In March of this year, the agency used the same legal lever to compel nine PCI companies to provide information about their PCI assessment and security consulting practices.

The eight mobile device manufacturers targeted by this FTC action are: Apple Inc.; Blackberry Corp.; Google Inc.; HTC America Inc.; LG Electronics USA Inc.; Microsoft Corp.; Motorola Mobility LLC; and Samsung Electronics America Inc. Each company has 45 days to comply with the order. The FTC also noted that it is “conducting a separate, parallel inquiry into common carriers’ policies regarding mobile device security updates.”

A Deep Dive Into Security Update Practices and Policies

Here is a partial list of the information, documents and items that the FTC wants, according to the official order:

  • Company background information, including the corporate structure of any subsidiaries and affiliates;
  • How a device for the U.S. market is made available to consumers (e.g., carrier locked, unlocked, carrier certified or Wi-Fi);
  • For each device listed above, companies must also identify all parties that contribute to the software, including those from device-makers, OS vendors, chipset makers or carriers.
  • The role played by each party above in “addressing security vulnerabilities in device software,” including “communicating vulnerability information among such entities, developing software updates to address vulnerabilities, testing security updates that have been developed or deploying security updates to devices.”
  • How companies determine “whether a specific device model will receive a security update to address a vulnerability,” information about the vulnerability, the device’s current OS version and whether an update is available and will be applied, in addition to any other testing/certification requirements and potential contractual obligations; and
  • How all of these criteria affect the frequency or timing of updates, the extent to which these criteria are in line with the company’s own documented policies and any modifications to those policies.

The FTC’s order also seeks details on how each company is keeping the consumer informed. This includes details on how the company in question notifies consumers of the time period a device will be supported for OS updates and security updates, and when that time period has lapsed.

Finally, and very much telling of the agency’s intent behind such information gathering, the FTC also asked each company to provide details for specific mobile devices. This information includes:

  • The length of time it was for sale in U.S. markets, the number of units sold, the average price per unit (in tiers) and the support period (for both OS and security updates);
  • Copies of any consumer-facing statement made by the company about the support and frequency/timing of updates;
  • Identifying “each vulnerability that has affected the specific device model that could result in unauthorized code execution or the compromise of the confidentiality of consumer data” and how the company responded;
  • Granular details of each vulnerability, such as when the company learned about it, whether it decided to provide an update and the process of how the decision was made, how and when the update was developed, when it was deployed and the percentage of devices that installed the update;
  • If a security update was not deployed, whether the company informed consumers; and
  • All documents related to the communications between the device-makers, OS vendors, chipset-makers and carriers.

With the PCI order and this latest mobile initiative, the FTC is putting a strong focus on mobile security. The designated companies must now reveal their conduct when it comes to providing all their various mobile models with security updates, as well as the extent to which consumers are informed of the availability — or absence — of these updates.

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today