U.S. investigates security of mobile devices

By David Shepardson

WASHINGTON (Reuters) – The Federal Communications Commission and Federal Trade Commission have asked mobile phone carriers and manufacturers to explain how they release security updates amid mounting concerns over security vulnerabilities, the U.S. agencies said on Monday.

The agencies have written to Apple Inc, AT&T Inc and Alphabet Inc, among others, in order “to better understand, and ultimately to improve, the security of mobile devices,” the FCC said.

The FCC sent letters to six mobile phone carriers on security issues, while the FTC ordered eight mobile device manufacturers including BlackBerry Ltd, Microsoft Corp, LG Electronics USA Inc and Samsung Electronics America Inc [SMELA.UL] to disclose “the factors that they consider in deciding whether to patch a vulnerability on a particular mobile device.”

The FTC also seeks “detailed data on the specific mobile devices they have offered for sale to consumers since August 2013” and “the vulnerabilities that have affected those devices; and whether and when the company patched such vulnerabilities.”

The agencies are opening the inquiry about how mobile carriers and manufacturers handle security updates for mobile devices because consumers and businesses are conducting a growing amount of daily activities on mobile devices and new questions have been raised about how the security of mobile communications.

The “safety of their communications and other personal information is directly related to the security of the devices they use,” the FCC said. “There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device.”

The FCC said it sent letters to mobile carriers including AT&T, Verizon Communications Inc, Sprint Corp, U.S. Cellular Corp, Tracfone Wireless, which is owned by America Movil SAB, and T-Mobile US, which is owned by Deutsche Telekom, “asking questions about their processes for reviewing and releasing security updates for mobile devices.”

The companies must respond to the FCC and FTC questions within 45 days.

There were more than 355 million U.S. mobile wireless devices in use in 2014, the FCC said in a December report. The agency said that number had risen to 382 million by mid-2015, citing company disclosures.

The FCC noted that a vulnerability called “Stagefright” in the Android operating system could affect almost 1 billion Android devices globally. Reuters reported in August that Google and Samsung planned to release monthly security fixes for Android phones.

The change came after security researcher Joshua Drake found a vulnerability that could allow attackers to send a special multimedia message to an Android phone and access sensitive content even if the message is unopened.

Google did not immediately comment on Monday. Apple declined to comment.

Consumers may be left unprotected, potentially indefinitely, by any delays in patching vulnerabilities, the FCC said.

John Marinho, vice president for cybersecurity at CTIA, a wireless trade group, said in a statement that “customers’ security remains a top priority for wireless companies, and there is a very strong partnership among carriers.”

(Editing by Bernadette Baum and Matthew Lewis)