Federales probing slow security by mobile phone carriers and ODMs. The FCC and FTC are tag-teaming to investigate non-existent or long-delayed OTA updates -- even when it's critical security vulnerabilities they patch.
[Developing story. Updated 10:05 am PT with more comment]
Oh yes, it's about time something was done about this perfect storm of a fiasco. And it's not just Google Android under investigation. Even Apple is being probed. In IT Blogwatch, bloggers wave flaming pitchforks.
What’s the craic? Todd Shields us from the ugly truth: [You're fired -Ed.]
Smartphone makers...and mobile carriers...face an inquiry by U.S. regulators into how they review and release security updates. [The FCC and FTC] issued statements...saying they want to know more [because] consumers and businesses face hacking threats.
The FCC sent letters to...AT&T, Verizon, T-Mobile...Sprint...U.S. Cellular...and TracFone. ... The FTC said it had ordered eight companies to explain:..Apple...Google, BlackBerry...HTC...LG...Microsoft...Motorola...and Samsung.
Let's not mince words, people. Zack Whittaker says the companies face questions over slow security fixes:
[This comes] amid concerns that vulnerabilities are not patched soon enough. ... The FTC wants eight phone makers to explain. ... Meanwhile, the FCC wants cell carriers...to explain.
The investigation is thought to be in response to a complaint submitted by the [ACLU], which accused cell carriers of stalling [and so] exposing consumers to "significant cybersecurity-related risks." ... The FCC...cited Stagefright, a major security flaw that affected almost every Android device. ... It took weeks for other manufacturers to implement the fix. Some devices are still vulnerable.
Great example -- and not an isolated one, neither. Michael Tomkins paints his own experience:
My unlocked Sony Xperia Z2...finally received its...Stagefright...patch...on April 12th. ... The exact same patch was provided on the exact same phone...in other regions as early as 27th November.
That is an utterly shameful 138 DAYS...from when the patch was completely done being tested and applied, and ready to release. ... It was even longer from when the fix was made available...by Google. ... Somebody at Sony simply forgot to ever release it. ... But really, the problem...is quite clearly with Google, who have allowed both the carriers and manufacturers to play idiotic games.
It is high time that Google took Android back in-house. ... OS-level updates should then be sourced...from Google themselves. ... But sadly, there's not a chance of this happening.
Ouch. And here's the experience of viperidaenz:
My EU retail...Moto X 2nd Gen is still on the "Android security patch level"...that's 6 months old. It's still vulnerable to...drive-by remote code execution exploits. ... There's 34 critical exploits in the security patches since.
Teaches me for buy a phone from a Google owned company. They then go sell it to Lenovo who then fires half their developers.
I wonder what the companies will say. This Anonymous Coward predicts some of the responses from ODMs—This should be interesting:
Apple: We release updates directly to phones because we control the software and hardware.
Google: We publish updates to the core OS, Android vendors implement updates. We release updates to google apps. ... Vendors' devices access the play store if they sign a contract.
Samsung: We released 56 different phone models in 2014 and it's a pain in the **** updating even the flagships because of all the... Uhm... Value added software we load.
HTC: Uh. We publish updates on flagship models if it's convenient. Hey... Uh... Anyone want to buy a phone company?
Motorola: Who owns us now? Do we still make phones?
Blackberry: We're relevant! Our phones are secure... Uhm... Nevermind that we gave away our root keys when we said we didn't.
Update: But what of Apple in all this? David Goldman prescribes the government wants Apple to up its security game:
Bugs are a fact of life. ... Though Apple tends to have a better reputation...it is notoriously slow at delivering security patches. [They] come much faster than Android updates, but they're often missing crucial bug fixes. ... (A spokesman for Apple did not respond.)
About 30% of Android phones...don't receive any security patches. ... There are some one-year old smartphones that no longer receive [any] updates. ... That's a huge problem.
Regulators are right to be concerned. ... The PC industry shows there can be a better way. ... It's a problem worth solving.
Actually, you can't multitask, so stop trying
[McGill University Psychology Professor Daniel Levitin says so]
You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or firstname.lastname@example.org.
Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.