On May 9, 2016, the U.S. Federal Trade Commission (FTC) announced that it had issued an order to eight mobile device manufacturers to produce information on “how they issue security updates to address vulnerabilities in smartphones, tablets and other mobile devices.”
The accompanying Order to File a Special Report compels manufacturers to report on their security update practices and policies for mobile devices. This is not the first time that the FTC has used this mechanism to compel companies to provide transparency into their security-related practices. In March of this year, the agency used the same legal lever to compel nine PCI companies to provide information about their PCI assessment and security consulting practices.
The eight mobile device manufacturers targeted by this FTC action are: Apple Inc.; Blackberry Corp.; Google Inc.; HTC America Inc.; LG Electronics USA Inc.; Microsoft Corp.; Motorola Mobility LLC; and Samsung Electronics America Inc. Each company has 45 days to comply with the order. The FTC also noted that it is “conducting a separate, parallel inquiry into common carriers’ policies regarding mobile device security updates.”
A Deep Dive Into Security Update Practices and Policies
Here is a partial list of the information, documents and items that the FTC wants, according to the official order:
- Company background information, including the corporate structure of any subsidiaries and affiliates;
- How a device for the U.S. market is made available to consumers (e.g., carrier locked, unlocked, carrier certified or Wi-Fi);
- For each device listed above, companies must also identify all parties that contribute to the software, including those from device-makers, OS vendors, chipset makers or carriers.
- The role played by each party above in “addressing security vulnerabilities in device software,” including “communicating vulnerability information among such entities, developing software updates to address vulnerabilities, testing security updates that have been developed or deploying security updates to devices.”
- How companies determine “whether a specific device model will receive a security update to address a vulnerability,” information about the vulnerability, the device’s current OS version and whether an update is available and will be applied, in addition to any other testing/certification requirements and potential contractual obligations; and
- How all of these criteria affect the frequency or timing of updates, the extent to which these criteria are in line with the company’s own documented policies and any modifications to those policies.
The FTC’s order also seeks details on how each company is keeping the consumer informed. This includes details on how the company in question notifies consumers of the time period a device will be supported for OS updates and security updates, and when that time period has lapsed.
Finally, and very much telling of the agency’s intent behind such information gathering, the FTC also asked each company to provide details for specific mobile devices. This information includes:
- The length of time it was for sale in U.S. markets, the number of units sold, the average price per unit (in tiers) and the support period (for both OS and security updates);
- Copies of any consumer-facing statement made by the company about the support and frequency/timing of updates;
- Identifying “each vulnerability that has affected the specific device model that could result in unauthorized code execution or the compromise of the confidentiality of consumer data” and how the company responded;
- Granular details of each vulnerability, such as when the company learned about it, whether it decided to provide an update and the process of how the decision was made, how and when the update was developed, when it was deployed and the percentage of devices that installed the update;
- If a security update was not deployed, whether the company informed consumers; and
- All documents related to the communications between the device-makers, OS vendors, chipset-makers and carriers.
With the PCI order and this latest mobile initiative, the FTC is putting a strong focus on mobile security. The designated companies must now reveal their conduct when it comes to providing all their various mobile models with security updates, as well as the extent to which consumers are informed of the availability — or absence — of these updates.
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato