The Federal Communications Commission (FCC) and Federal Trade Commission (FTC) have embarked on a joint fact-finding mission of sorts to better understand how security is handled by mobile device manufacturers. As part of the joint inquiry, the FTC notes that it has issued orders to eight companies to gauge how each issues security updates. In all, the FTC's probe includes Apple, BlackBerry, Google, HTC, LG, Microsoft, Motorola, and Samsung.
While the FTC has opted to reach out to manufacturers, the FCC says that it is contacting carriers to better understand their role in the process. In its letter to carriers, the FCC states that its main concern is that there are "significant delays" in patching vulnerabilities on devices.
Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. Therefore, we appreciate efforts made by operating system providers, original equipment manufacturers, and mobile service providers to respond quickly to address vulnerabilities as they arise. We are concerned, however, that there are significant delays in delivering patches to actual devices—and that older devices may never be patched.
Of particular note is that the FCC specifically calls out the recent Stagefright Android vulnerability that gained quite a bit of attention in late 2015.
It's important to note that this appears to simply be a fact-finding mission for now, and the parties have 45 days to issue a response to the inquiry. If you're interested, you can also read the list of questions sent to carriers by the FCC.
