On May 9, 2016, the U.S. Federal Trade Commission (FTC) announced that it had issued an order to eight mobile device manufacturers to produce information on “how they issue security updates to address vulnerabilities in smartphones, tablets and other mobile devices.”

The accompanying Order to File a Special Report compels manufacturers to report on their security update practices and policies for mobile devices. This is not the first time that the FTC has used this mechanism to compel companies to provide transparency into their security-related practices. In March of this year, the agency used the same legal lever to compel nine PCI companies to provide information about their PCI assessment and security consulting practices.

The eight mobile device manufacturers targeted by this FTC action are: Apple Inc.; Blackberry Corp.; Google Inc.; HTC America Inc.; LG Electronics USA Inc.; Microsoft Corp.; Motorola Mobility LLC; and Samsung Electronics America Inc. Each company has 45 days to comply with the order. The FTC also noted that it is “conducting a separate, parallel inquiry into common carriers’ policies regarding mobile device security updates.”

A Deep Dive Into Security Update Practices and Policies

Here is a partial list of the information, documents and items that the FTC wants, according to the official order:

  • Company background information, including the corporate structure of any subsidiaries and affiliates;
  • How a device for the U.S. market is made available to consumers (e.g., carrier locked, unlocked, carrier certified or Wi-Fi);
  • For each device listed above, companies must also identify all parties that contribute to the software, including those from device-makers, OS vendors, chipset makers or carriers.
  • The role played by each party above in “addressing security vulnerabilities in device software,” including “communicating vulnerability information among such entities, developing software updates to address vulnerabilities, testing security updates that have been developed or deploying security updates to devices.”
  • How companies determine “whether a specific device model will receive a security update to address a vulnerability,” information about the vulnerability, the device’s current OS version and whether an update is available and will be applied, in addition to any other testing/certification requirements and potential contractual obligations; and
  • How all of these criteria affect the frequency or timing of updates, the extent to which these criteria are in line with the company’s own documented policies and any modifications to those policies.

The FTC’s order also seeks details on how each company is keeping the consumer informed. This includes details on how the company in question notifies consumers of the time period a device will be supported for OS updates and security updates, and when that time period has lapsed.

Finally, and very much telling of the agency’s intent behind such information gathering, the FTC also asked each company to provide details for specific mobile devices. This information includes:

  • The length of time it was for sale in U.S. markets, the number of units sold, the average price per unit (in tiers) and the support period (for both OS and security updates);
  • Copies of any consumer-facing statement made by the company about the support and frequency/timing of updates;
  • Identifying “each vulnerability that has affected the specific device model that could result in unauthorized code execution or the compromise of the confidentiality of consumer data” and how the company responded;
  • Granular details of each vulnerability, such as when the company learned about it, whether it decided to provide an update and the process of how the decision was made, how and when the update was developed, when it was deployed and the percentage of devices that installed the update;
  • If a security update was not deployed, whether the company informed consumers; and
  • All documents related to the communications between the device-makers, OS vendors, chipset-makers and carriers.

With the PCI order and this latest mobile initiative, the FTC is putting a strong focus on mobile security. The designated companies must now reveal their conduct when it comes to providing all their various mobile models with security updates, as well as the extent to which consumers are informed of the availability — or absence — of these updates.

More from Endpoint

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Threat Management and Unified Endpoint Management

The worst of the pandemic may be behind us, but we continue to be impacted by it. School-aged kids are trying to catch up academically and socially after two years of disruption. Air travel is a mess. And all businesses have seen a spike in cyberattacks. Cyber threats increased by 81% while COVID-19 was at its peak, with 79% of all organizations experiencing a loss of business operations during that time. The risk of cyberattacks increased so much that the…