FTC Orders Apple, Google, Microsoft, BlackBerry, Samsung To Divulge Mobile Security Practices

coondoggie quotes a report from Networkworld: The Federal Trade Commission today said it issued a 10-page letter to eight leading players in the mobile communications arena requiring them to tell the agency how they issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices. Apple, BlackBerry, Google, HTC America, LG Electronics, Microsoft, Motorola Mobility, and Samsung must provide the following: The factors that they consider in deciding whether to patch a vulnerability on a particular mobile device, detailed data on the specific mobile devices they have offered for sale to consumers since August 2013, the vulnerabilities that have affected those devices, and whether and when the company patched such vulnerabilities.

Chasing the wrong people

[Anonymous Coward]

The CARRIERS decide who gets the updates and when.

Re:

[epiphani]

Upvote required.

Manufacturers can make updates available quite quickly, however carriers restrict what updates are made available to customers on their network.

Buy a better device?

[Aaden42]

Don’t buy phones that are locked to the carrier’s update schedule. Spend a little more and get something you can patch on your own terms.

Perhaps you’ve heard of iOS and/or Nexus devices?

Re:

[amRadioHed]

My understanding is that as of the Nexus 6, Wi-Fi calling is supported in standard Android.

Re:

[davester666]

It may be supported on the device, but not enabled/used by the carrier.

Re:

[WarJolt]

A little bit of Googling could have prevented you from publicly revealing you are a moron.

https://support.t-mobile.com/d... [t-mobile.com]

Re:

[dumfrac]

At least on T-Mobile, only carrier ROMs have Wi-Fi calling.

I have T-Mobile and my Nexus 5X has wifi calling.

Re:

[meadow]

Don’t buy phones that are locked to the carrier’s update schedule. Spend a little more and get something you can patch on your own terms.

Or only buy devices that have active development going on on xda-developers.com including multiple and frequently-updated ROMs, or are actively supported by one of the large alternative ROM creators such as Cyanogen, Resurrection, Pac, Slim, etc.

Personally I like the slightly older Samsung devices with some of the cool backport ROMs.

My carrier is Xfinity

[tepples]

carriers restrict what updates are made available to customers on their network.

So what blocks updates for Wi-Fi tablets? My carrier is Xfinity or Chick-Fi [chick-fil-a.com] or Wendynet [wendys.com].

Re:

[bickerdyke]

What if you never connect your phone to a mobile network and use it WiFi only*? At least my manufacturer provides updates by regular Internet that I can access by Wifi. No provider ever knows if my phone is on his network.

* not the most common use case, but people might need a small tablet or don't need mobile internet but want to sync calendar & contacts every 24 hours when they are at home

Re:Chasing the wrong people

[Anonymous Brave Guy]

You're assuming this isn't an evidence-gathering exercise prior to going after the carriers for exactly that reason?

Re:

[the_skywise]

You're assuming they're not trolling to figure out which vulnerabilities are still out there for exploiting?

Re:

[Anonymous Brave Guy]

I'm certainly not assuming that, though it doesn't seem the most likely explanation to me.

Re:

[Anonymous Coward]

Not in the case of Apple.

Re:Chasing the wrong people

[berj]

I've never had to wait for my carrier (Rogers Canada, in this case) to supply me an iOS update. I just download it on the day Apple releases it.

Re:Chasing the wrong people

[scotts13]

If you think Apple are any different then you're basing an opinion on wishful thinking and hope.

And your carrier cares for neither. Doesn't matter who your carrier is, if they don't want to supply an update to you, you won't see one. Apple, Samsung, HTC, whoever. It's all the same. Money talks.

That turns out not to be the case. With my Apple phone, Apple offers updates and I accept (or decline) them. The carrier has nothing to o with it.

Re:

[gweilo8888]

Yes and no. Even if you are using an unlocked phone, security updates can take utterly ridiculous lengths of time to arrive.

Speaking personally, my unlocked Sony Xperia Z2 running US-market firmware finally received its last patch against the Stagefright exploit on April 12th, 2016, as part of my Marshmallow update released publicly that same day. The exact same patch was provided on the exact same phone running Lollipop in other regions as early as 27th November 2015, and there were no carriers involved

Re:

[TrancePhreak]

I agree with your assessment in how things should be made more simplified in that the updates should come from Google. There's a problem, however, in that to my knowledge the drivers are tightly coupled with the kernel. They do this for both performance and because that is the way the Linux kernel is. You run into the same issues on desktop Linux systems where installing NVidia drivers requires a patch and shim to load a binary blob.

Re:

[bickerdyke]

It is high time that Google took Android back in-house, and required manufacturers to add their glossy, bloatware overlays as user-removable apps which sit on top of the OS. OS-level updates should then be sourced not from the manufacturer or the carrier, but from Google themselves. That would instantly solve the problem, while allowing manufacturers to provide the differentiation they foolishly believe us to want. (And for those of us who'd rather have a stock experience, we could get rid of all the manufacturer crapware and have a swiftly-operating phone with regular security updates.)

Yes, but will never come as

a) what Google delivers as "Android" won't be running on any device as there are specific additions and changes necessary to get it to run on a specific hardware, that need to be provided and integrated by the hardware manufacturer

b) Google is already in hot waters [heise.de] for abusing a de-facto monopoly and hindering competition between cellphone manufacturers by already making to much software descicions for android phone manufacturers. (or the slashdot [slashdot.org] article)

Re:

[gweilo8888]

a) those addons and changes can still be made by the manufacturer -- just separately from how the OS itself is delivered. You know, exactly what happens on numerous other platforms already, and has for decades. b) Google would be in no hotter water if it took on the updating. They're only in hot water in places where it matters -- such as giving themselves an advantage with their preinstalled browser, preinstalled search boxes, etc. The manufacturers would almost certainly prefer it too, actually, in the l

Re:

[Holi]

Great so I would have an updated OS that couldn't actually do anything because it lacks the manufacturers drivers.

Re:

[gweilo8888]

You do realize it's possible to update an OS without updating drivers, right? And that if there's a flaw in the drivers, the manufacturer can still patch them? This is an utterly specious argument.

Give us the keys!

[emil]

Carriers and/or OEMs who abandon phones within 5 years of introduction should be compelled to release any signing keys that they used to lock bootloaders.

If Verizon wants to create a walled garden with locked bootloaders, then they have a responsibility to maintain it. Any devices that do not receive quarterly security patches should be forced open, allowing Cyanogenmod (et al) to become an option for security fixes. Novice users can then use third party security support, and power users can wipe Verizon's

Re:

[viperidaenz]

Not when you buy retail versions of phones.

My EU retail version Moto X 2nd Gen is still on the "Android security patch level" 1 November 2015. That's 6 months old. It's still vulnerable to some of the drive-by remote code execution exploits where simply visiting a website with an embedded video can run arbitrary code.
There's 34 critical exploits in the security patches since 1 Nov.

Teaches me for buy a phone from a Google owned company. They then go sell it to Lenovo who then fires half their developers and

Re:

[meadow]

The CARRIERS decide who gets the updates and when.

But when HP, Dell, or Lenovo sell a computer with Windows, they are not responsible for the updates to Windows. Microsoft is.

Re:

[bickerdyke]

Which is correct as they don't have to build their own windows (based on what they get from Microsoft) to get it to run on the machines they manufacture. Windows will be running out of the box on any machine that follows "PC" specifications.

There aren't any specifications like this for phones. Phone manufacturers need to build a specific OS for each phone based on what Google delivers as Android. That's exactly why you need the guys from cyanogen et al for: What Google gives out as Android will not be runni

Re:

[meadow]

Phone manufacturers can create their own customized launcher and proprietary apps, but besides compiling a custom kernel what else do they do?

Is what they "build" that significant that there cannot be regular updates from Android? Is their any real justification for their extra control?

Why can't it be like the model for Linux distros: The distro creates its own packages and updates. A sysadmin at a company may create their own custom package repository specific to their hardware with for example packa

Re:

[bickerdyke]

"compiling a custom kernel" ...yes... but after writing and including custom modules and drivers for the hardware used.

The regular linus distros support a handful of processors, that's why a "building a custom kernel" is less more than checking boxes to in- or exclude modules, but you don't have custom hardware that you need write modules for first.

Re:

[meadow]

The list of processors supported by Linux - meaning the Linux kernel - is huge [wikipedia.org]. The CPU in my Samsung phone is an ARM, are the vast majority of phones. Samsung does not make the Linux kernel support for the various ARM architectures. It, like virtually every other company, purchases the components to build its devices on the market, devices which are generally supported independently by Linux.

Yes there are mobile manufacturers who do also make their own chips, which puts them in the category of a devi

Re:

[tlhIngan]

The CARRIERS decide who gets the updates and when.

True, but the manufacturers also are the ones to make it available.

I mean, Samsung makes a crap ton of phones - in 2014, they released on average 3 Android phones a week! (and a tablet a week, for completelness - it was something like 54 new tablets and 160-ish new phones). In 2015 they scaled it back somewhat. But the vast majority of phones will never get an update from Samsung - ever.

I mean, Samsung's pretty bad by themselves in software updates. You migh

A list of unpatched vulnerabilities?

[mugurel]

That would also be great for their fellow three letter agencies!

Re:

[cyriustek]

Although your point is well taken, there other other things to consider.

Mobile devices often go unpatched due to the relationship between the carriers and the manufacturer. For example, you may buy a nice shiny Samsung, only to find out that it is not patched for the StageFright bug since the carrier has not vetted these patches yet. This is exacerbated when you bring your own phone over to the network, as they may not even know anything about what patch would work on your device.

The exceptions to this incl

Re:

[tom229]

Precisely. We're all starting to see the house of cards around centralized security models fall down now. Of course, this was apparent to anyone experienced in the industry, but the thickest amongst us. I've had innumerable arguments with Apple fanboys and shills about how centralized security isn't better, it just creates one massive point of failure. We'll see more and more of this in the coming years. Apple devices will be the easiest to compromise due to their centralized control structure.

Government taking care of me...

[mi]

FTC Orders Apple, Google, Microsoft, BlackBerry, Samsung To Divulge Mobile Security Practices

This is so nice of the government — protecting me from these nasty capitalists.

I wonder, if those among them, who cooperate with the police (and/or donate to the correct politicians), will be granted exceptions...

Commerce among the states

[tepples]

What in the Constitution grants the FTC the power to demand this information?

The fact that phones are manufactured in East Asia and sold across state lines for use on networks that communicate across state lines. There's your "commerce with foreign nations, and among the several states" that the Constitution grants the Congress "power [...] to regulate". And the Congress has chosen to exercise this power by creating the FTC and FCC.

This should be interesting

[Anonymous Coward]

Apple: We release updates directly to phones because we control the software and hardware stack

Google: We publish updates to the core OS, Android vendors implement updates. We we release updates to google apps on the play store. Vendors devices access to the play store if they sign a contract with us.

Samsung: We released 56 different phone models in 2014 and it's a pain in the dick updating even the flagships because of all the.. Uhm.. Value added software we load on them.

HTC: Uh. We publish updates on flagship models if it's convenient. Hey.. Uh.. Anyone want to buy a phone company?

Motorola: Who owns us now? Do we still make phones?

Blackberry: We're relevant! Our phones are secure.. Uhm.. Nevermind that we gave away our root keys when we said we didn't. Please buy a phone from us.

LG: What?

Re:

[Anonymous Brave Guy]

Now we're all wondering whether you forgot that Microsoft was the final company on the list or their omission was an oblique reference to their relevance in the mobile market and/or how they handle demands from authorities.

Re:

[guruevi]

Microsoft: Here's a copy of the vulnerabilities you wanted us to implement for you. Do you have a loading dock?

Re:

[thegarbz]

Why would anyone request Microsoft to put vulnerabilities into their phone and waiting for the upgrade cycle to complete rather than going after both users directly.

Re:

[Anonymous Coward]

Microsoft: With Windows Phone 10 with Bing and Cortana the phones self-update. All the time. You can't stop it even if you want to. Don't like it? Too bad. You'll get 11 too weather you like it or not.

Re: This should be interesting

[heezer7]

To be fair Motorola keeps my latest gen moto x updated with the monthly patches. Not sure about the older phones.

Moto X 1st gen Verizon

[emil]

I have one - it got 5.1 Lollipop late last year, and it just got a security update.

Re:

[tom229]

Interesting how Apple is the only one that can comply with an invasive and controlling question, because, well, they're the most invasive, centralized, and controlling among them. Your post implies this is a good thing. Any security researcher, administrator, developer, or technician worth their salary would disagree.

Under what authority?

[BitterOak]

While I'm all in favor of more transparency in security vulnerability and patching processes, I wonder where the FTC gets the authority to order phone manufacturers to disclose this information. Is there some congressional statute they're acting under, or did they just make this up? Do they have unlimited power to require any company that manufactures and sells any product whatsoever to disclose anything they (the FTC) wants, or is there some narrower law they are working under?

Re:

[tepples]

The commerce clause, as explained in a reply to AC's comment [slashdot.org].

Re:

[BitterOak]

The commerce clause, as explained in a reply to AC's comment [slashdot.org].

The commerce clause is part of the Constitution. The Constitution doesn't grant the FTC any authority whatsoever. It grants congress the right to regulate interstate commerce. Congress must then, in turn, grant authority to the FTC. It does so by means of statutes in the United States Code. The FTC doesn't have unlimited power to regulate any and all interstate commerce. So I'm wondering, under which statute do the claim to have the authority to order private companies to disclose security vulnerabili

Re:

[account_deleted]

Comment removed based on user account deletion

FTC authority?

[mveloso]

Does the FTC have the authority to compel the production of this information?

And while the one hand asks for better security..

[Timmy D Programmer]

The other tries to outlaw encryption.

Re:

[ffkom]

In Germany, we only need one agency for this kind of hypocrisy: The "BSI" has _both_ the duty to promote the security of IT _and_ the duty to help with placing trojans on whatever computer the gouvernment wants to spy on. Go figure how much trust people have in advice from BSI...

Re:

[sconeu]

Pre-9/11, the NSA had a similar bent... They had a group working on securing stuff, and a group working on cracking stuff.

See Cliff Stoll's "The Cuckoo's Egg". He talks about his visit to NSA.

Wrong TLA group, guys.

[Torodung]

The FTC, according to the letter, is doing this on the basis of a "resolution." No law. No regulation. Just they _resolved_ it in order to complete a study. They're basically making a willful power grab. I wonder if the manufacturers will bite or fight? I think they should tell them where to stick it.

The FCC or NSA has more authority to do this than the FTC. The NSA through a FISA court order seems the most likely way to grant any legal authority in the matter. This is otherwise a blatant power grab. What t

Re:

[viperidaenz]

Maybe the FTC want to make sure those companies aren't being dodgy.
Like saying they're selling secure, supported devices when they're not.
Not deliberately cutting support for old devices so they can sell more new ones.
Not selling devices they never intend to provide security fixes for.

Re:

[gaiageek]

The FTC is doing this in partnership with the FCC, who I agree, has more power to do something about this. See my comment below.

Blackouts love you...

[Tjp($)pjT]

Since they now will publish vulnerabilities they know, and which have been fixed, and how they determine what is important to fix!!!

Not just the FTC, but a partnership with the FCC

[gaiageek]

The FCC launched an inquiry [fcc.gov] in partnership with the FTC. I submitted a story to slashdot on the FCC inquiry, yet somehow this is what we get.

Regardless, this is a big story, as the way security patches have been handled -- or more preciesly ignored by the carriers and manufacturers -- has become a huge problem. We're talking millions of vulnerable internet-connected mobile devices out there which, the way things are now, will never get patches for severe exploits like Stagefright.

It's not only the carriers either

[pablo_max]

Well, not exactly the carriers. Or the manufactures either.

Most people who use cell phones in the US are totally unaware of the certification process in place for those phones.

The main game in town is PTCRB. This makes up most of the GSM/UMTS and LTE carriers in the US and Canada. Verizon has their own program, which by and large follows GCF, the European counterpart to PTCRB, but based on open standards. Though, VzW mixes in proprietary standards.

The certification for PTCRB has a LOT of testing involved. F