Slashdot Mirror

← Back to Stories (view on slashdot.org)

FTC Orders Apple, Google, Microsoft, BlackBerry, Samsung To Divulge Mobile Security Practices (networkworld.com)

Posted by BeauHD on from the key-to-understanding dept.

coondoggie quotes a report from Networkworld: The Federal Trade Commission today said it issued a 10-page letter to eight leading players in the mobile communications arena requiring them to tell the agency how they issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices. Apple, BlackBerry, Google, HTC America, LG Electronics, Microsoft, Motorola Mobility, and Samsung must provide the following: The factors that they consider in deciding whether to patch a vulnerability on a particular mobile device, detailed data on the specific mobile devices they have offered for sale to consumers since August 2013, the vulnerabilities that have affected those devices, and whether and when the company patched such vulnerabilities.

14 of 74 comments (clear)

  1. Chasing the wrong people by Anonymous Coward · · Score: 5, Insightful

    The CARRIERS decide who gets the updates and when.

    1. Re:Chasing the wrong people by epiphani · · Score: 2

      Upvote required.

      Manufacturers can make updates available quite quickly, however carriers restrict what updates are made available to customers on their network.

      --
      .
    2. Re:Chasing the wrong people by Anonymous+Brave+Guy · · Score: 3, Insightful

      You're assuming this isn't an evidence-gathering exercise prior to going after the carriers for exactly that reason?

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    3. Re:Chasing the wrong people by Anonymous Coward · · Score: 2

      Not in the case of Apple.

    4. Re:Chasing the wrong people by the_skywise · · Score: 2

      You're assuming they're not trolling to figure out which vulnerabilities are still out there for exploiting?

    5. Re:Chasing the wrong people by gweilo8888 · · Score: 2

      Yes and no. Even if you are using an unlocked phone, security updates can take utterly ridiculous lengths of time to arrive.

      Speaking personally, my unlocked Sony Xperia Z2 running US-market firmware finally received its last patch against the Stagefright exploit on April 12th, 2016, as part of my Marshmallow update released publicly that same day. The exact same patch was provided on the exact same phone running Lollipop in other regions as early as 27th November 2015, and there were no carriers involved in the process at all. I got my patch direct from Sony.

      That is an utterly shameful 138 DAYS to get the patch direct from the manufacturer, and that is 138 days from when the patch was completely done being tested and applied, and ready to release to the public. It was even longer from when the fix was made available to the manufacturers by Google.

      I do not believe for one second that any additional testing was required to apply the same patch to a different firmware region; somebody at Sony simply forgot to ever release it for many markets. (The US was by no means alone in this; numerous other large markets didn't get a full Stagefright patch until Marshmallow was released, and it was basically a lottery whether you were in a lucky market or not.)

      But really, the problem here lies neither at the feet of the carriers nor the manufacturers. The problem here is quite clearly with Google, who have allowed both the carriers and manufacturers to play idiotic games in the name of product differentiation.

      It is high time that Google took Android back in-house, and required manufacturers to add their glossy, bloatware overlays as user-removable apps which sit on top of the OS. OS-level updates should then be sourced not from the manufacturer or the carrier, but from Google themselves. That would instantly solve the problem, while allowing manufacturers to provide the differentiation they foolishly believe us to want. (And for those of us who'd rather have a stock experience, we could get rid of all the manufacturer crapware and have a swiftly-operating phone with regular security updates.)

      But sadly, there's not a chance of this happening. The lunacy will continue to prevail, because the customers are seen as utterly unimportant in all of this. Whatever the manufacturers and carriers say goes, and the rest is just ignored.

    6. Re:Chasing the wrong people by berj · · Score: 3, Informative

      I've never had to wait for my carrier (Rogers Canada, in this case) to supply me an iOS update. I just download it on the day Apple releases it.

    7. Re:Chasing the wrong people by scotts13 · · Score: 4, Informative

      If you think Apple are any different then you're basing an opinion on wishful thinking and hope.

      And your carrier cares for neither. Doesn't matter who your carrier is, if they don't want to supply an update to you, you won't see one. Apple, Samsung, HTC, whoever. It's all the same. Money talks.

      That turns out not to be the case. With my Apple phone, Apple offers updates and I accept (or decline) them. The carrier has nothing to o with it.

    8. Re:Chasing the wrong people by viperidaenz · · Score: 2

      Not when you buy retail versions of phones.

      My EU retail version Moto X 2nd Gen is still on the "Android security patch level" 1 November 2015. That's 6 months old. It's still vulnerable to some of the drive-by remote code execution exploits where simply visiting a website with an embedded video can run arbitrary code.
      There's 34 critical exploits in the security patches since 1 Nov.

      Teaches me for buy a phone from a Google owned company. They then go sell it to Lenovo who then fires half their developers and stops updating old devices.

  2. A list of unpatched vulnerabilities? by mugurel · · Score: 2

    That would also be great for their fellow three letter agencies!

  3. This should be interesting by Anonymous Coward · · Score: 5, Funny

    Apple: We release updates directly to phones because we control the software and hardware stack

    Google: We publish updates to the core OS, Android vendors implement updates. We we release updates to google apps on the play store. Vendors devices access to the play store if they sign a contract with us.

    Samsung: We released 56 different phone models in 2014 and it's a pain in the dick updating even the flagships because of all the.. Uhm.. Value added software we load on them.

    HTC: Uh. We publish updates on flagship models if it's convenient. Hey.. Uh.. Anyone want to buy a phone company?

    Motorola: Who owns us now? Do we still make phones?

    Blackberry: We're relevant! Our phones are secure.. Uhm.. Nevermind that we gave away our root keys when we said we didn't. Please buy a phone from us.

    LG: What?

    1. Re:This should be interesting by Anonymous+Brave+Guy · · Score: 2

      Now we're all wondering whether you forgot that Microsoft was the final company on the list or their omission was an oblique reference to their relevance in the mobile market and/or how they handle demands from authorities.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    2. Re:This should be interesting by guruevi · · Score: 2

      Microsoft: Here's a copy of the vulnerabilities you wanted us to implement for you. Do you have a loading dock?

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
  4. Re:Wrong TLA group, guys. by viperidaenz · · Score: 2

    Maybe the FTC want to make sure those companies aren't being dodgy.
    Like saying they're selling secure, supported devices when they're not.
    Not deliberately cutting support for old devices so they can sell more new ones.
    Not selling devices they never intend to provide security fixes for.