On May 9, 2016, the U.S. Federal Trade Commission (FTC) announced that it had issued an order to eight mobile device manufacturers to produce information on “how they issue security updates to address vulnerabilities in smartphones, tablets and other mobile devices.”

The accompanying Order to File a Special Report compels manufacturers to report on their security update practices and policies for mobile devices. This is not the first time that the FTC has used this mechanism to compel companies to provide transparency into their security-related practices. In March of this year, the agency used the same legal lever to compel nine PCI companies to provide information about their PCI assessment and security consulting practices.

The eight mobile device manufacturers targeted by this FTC action are: Apple Inc.; Blackberry Corp.; Google Inc.; HTC America Inc.; LG Electronics USA Inc.; Microsoft Corp.; Motorola Mobility LLC; and Samsung Electronics America Inc. Each company has 45 days to comply with the order. The FTC also noted that it is “conducting a separate, parallel inquiry into common carriers’ policies regarding mobile device security updates.”

A Deep Dive Into Security Update Practices and Policies

Here is a partial list of the information, documents and items that the FTC wants, according to the official order:

  • Company background information, including the corporate structure of any subsidiaries and affiliates;
  • How a device for the U.S. market is made available to consumers (e.g., carrier locked, unlocked, carrier certified or Wi-Fi);
  • For each device listed above, companies must also identify all parties that contribute to the software, including those from device-makers, OS vendors, chipset makers or carriers.
  • The role played by each party above in “addressing security vulnerabilities in device software,” including “communicating vulnerability information among such entities, developing software updates to address vulnerabilities, testing security updates that have been developed or deploying security updates to devices.”
  • How companies determine “whether a specific device model will receive a security update to address a vulnerability,” information about the vulnerability, the device’s current OS version and whether an update is available and will be applied, in addition to any other testing/certification requirements and potential contractual obligations; and
  • How all of these criteria affect the frequency or timing of updates, the extent to which these criteria are in line with the company’s own documented policies and any modifications to those policies.

The FTC’s order also seeks details on how each company is keeping the consumer informed. This includes details on how the company in question notifies consumers of the time period a device will be supported for OS updates and security updates, and when that time period has lapsed.

Finally, and very much telling of the agency’s intent behind such information gathering, the FTC also asked each company to provide details for specific mobile devices. This information includes:

  • The length of time it was for sale in U.S. markets, the number of units sold, the average price per unit (in tiers) and the support period (for both OS and security updates);
  • Copies of any consumer-facing statement made by the company about the support and frequency/timing of updates;
  • Identifying “each vulnerability that has affected the specific device model that could result in unauthorized code execution or the compromise of the confidentiality of consumer data” and how the company responded;
  • Granular details of each vulnerability, such as when the company learned about it, whether it decided to provide an update and the process of how the decision was made, how and when the update was developed, when it was deployed and the percentage of devices that installed the update;
  • If a security update was not deployed, whether the company informed consumers; and
  • All documents related to the communications between the device-makers, OS vendors, chipset-makers and carriers.

With the PCI order and this latest mobile initiative, the FTC is putting a strong focus on mobile security. The designated companies must now reveal their conduct when it comes to providing all their various mobile models with security updates, as well as the extent to which consumers are informed of the availability — or absence — of these updates.

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read