June 21, 2016 By Christophe Veltsos 3 min read

On May 9, 2016, the U.S. Federal Trade Commission (FTC) announced that it had issued an order to eight mobile device manufacturers to produce information on “how they issue security updates to address vulnerabilities in smartphones, tablets and other mobile devices.”

The accompanying Order to File a Special Report compels manufacturers to report on their security update practices and policies for mobile devices. This is not the first time that the FTC has used this mechanism to compel companies to provide transparency into their security-related practices. In March of this year, the agency used the same legal lever to compel nine PCI companies to provide information about their PCI assessment and security consulting practices.

The eight mobile device manufacturers targeted by this FTC action are: Apple Inc.; Blackberry Corp.; Google Inc.; HTC America Inc.; LG Electronics USA Inc.; Microsoft Corp.; Motorola Mobility LLC; and Samsung Electronics America Inc. Each company has 45 days to comply with the order. The FTC also noted that it is “conducting a separate, parallel inquiry into common carriers’ policies regarding mobile device security updates.”

A Deep Dive Into Security Update Practices and Policies

Here is a partial list of the information, documents and items that the FTC wants, according to the official order:

  • Company background information, including the corporate structure of any subsidiaries and affiliates;
  • How a device for the U.S. market is made available to consumers (e.g., carrier locked, unlocked, carrier certified or Wi-Fi);
  • For each device listed above, companies must also identify all parties that contribute to the software, including those from device-makers, OS vendors, chipset makers or carriers.
  • The role played by each party above in “addressing security vulnerabilities in device software,” including “communicating vulnerability information among such entities, developing software updates to address vulnerabilities, testing security updates that have been developed or deploying security updates to devices.”
  • How companies determine “whether a specific device model will receive a security update to address a vulnerability,” information about the vulnerability, the device’s current OS version and whether an update is available and will be applied, in addition to any other testing/certification requirements and potential contractual obligations; and
  • How all of these criteria affect the frequency or timing of updates, the extent to which these criteria are in line with the company’s own documented policies and any modifications to those policies.

The FTC’s order also seeks details on how each company is keeping the consumer informed. This includes details on how the company in question notifies consumers of the time period a device will be supported for OS updates and security updates, and when that time period has lapsed.

Finally, and very much telling of the agency’s intent behind such information gathering, the FTC also asked each company to provide details for specific mobile devices. This information includes:

  • The length of time it was for sale in U.S. markets, the number of units sold, the average price per unit (in tiers) and the support period (for both OS and security updates);
  • Copies of any consumer-facing statement made by the company about the support and frequency/timing of updates;
  • Identifying “each vulnerability that has affected the specific device model that could result in unauthorized code execution or the compromise of the confidentiality of consumer data” and how the company responded;
  • Granular details of each vulnerability, such as when the company learned about it, whether it decided to provide an update and the process of how the decision was made, how and when the update was developed, when it was deployed and the percentage of devices that installed the update;
  • If a security update was not deployed, whether the company informed consumers; and
  • All documents related to the communications between the device-makers, OS vendors, chipset-makers and carriers.

With the PCI order and this latest mobile initiative, the FTC is putting a strong focus on mobile security. The designated companies must now reveal their conduct when it comes to providing all their various mobile models with security updates, as well as the extent to which consumers are informed of the availability — or absence — of these updates.

More from Government

Updated SBOM guidance: A new era for software transparency?

3 min read - The cost of cyberattacks on software supply chains is a growing problem, with the average data breach costing $4.45 million in 2023. Since President Biden’s 2021 executive order, software bills of materials (SBOMs) have become a cornerstone in protecting supply chains.In December 2023, the National Security Agency (NSA) published new guidance to help organizations incorporate SBOMs and combat the threat of supply chain attacks.Let’s look at how things have developed since Biden’s 2021 order and what these updates mean for…

Roundup: Federal action that shaped cybersecurity in 2023

3 min read - As 2023 draws to a close, it’s time to look back on our top five federal cyber stories of the year: a compilation of pivotal moments and key developments that have significantly shaped the landscape of cybersecurity at the federal level.These stories highlight the challenges federal agencies faced in securing digital infrastructure in the past year and explore the evolving nature of cyber threats, as well as the innovative responses required to address them.New White House cybersecurity strategyThe White House’s…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today