The glowing lack of public, real-world Stagefright exploits didn’t stop the U.S. government from using last summer’s blockbuster Android vulnerability as an illustration of the dangers facing mobile device users.

Under the context of Stagefright exposing up to 1 billion devices to attack, the Federal Trade Commission and the Federal Communications Commission yesterday said they are collaborating on an investigation into the security update practices of the leading carriers.

The two agencies sent letters to leading device makers and carriers, including AT&T, Verizon, T-Mobile, Sprint, US Cellular, and Tracfone, as well as Apple, Google, Samsung, BlackBerry, HTC America, and Microsoft. The letters give the respective vendors 45 days to report on how they communicate information about vulnerabilities, develop and test security updates and deploy them to devices.

Stagefright emerged last summer as threat to most Android devices in circulation going back many versions of the operating system. Attackers could leverage the flaw to gain remote code execution by merely sending a malicious media file to a vulnerable device. The reaction to this bug was immediate by Google, in particular, which less than a week after the patching and public disclosure of Stagefright, announced it would begin monthly over-the-air security updates for Nexus devices and make those same patches available in advance for carriers and OEMs.

While fixes are available, the reality is that many mobile devices—in particular those out of current patch levels—don’t ever get fixed. This isn’t new either; as far back as 2012 and 2013, security experts and the FTC have warned about the gaps in security coverage for Android devices in particular. In 2013, a settlement between HTC America and the FTC was announced after HTC was charged with failing to provide regular security updates. Under the terms of the settlement, HTC was forced to develop and release timely patches, establish a security program that addressed these risks and submit to security assessments for 20 years.

Yesterday’s letter to the carriers reinforced these concerns.

“Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. Therefore, we appreciate efforts made by operating system providers, original equipment manufacturers, and mobile service providers to respond quickly to address vulnerabilities as they arise,” said Jon Wilkins, chief of the Wireless Telecommunications Bureau at the FCC. “We are concerned, however, that there are significant delays in delivering patches to actual devices—and that older devices may never be patched.”

For its part, the FCC will focus on service providers and their role in moving patches through the mobile ecosystem, while the FTC will concentrate on operating system makes and equipment manufacturers.

“We hope that the efforts of our two agencies will lead to a greater understanding of what is being done today to address mobile device vulnerabilities—and what can be done to improve mobile device consumer safety and security in the future,” Wilkins said.

The reports required of each of the carriers and manufacturers are extensive. The respective authors must be an officer of the company and must answer 20 questions in addition to information about update processes. The questions delve into how updates are marshaled out to partners and consumers, and whether resources exist for consumers in particular to determine patch levels and severity of issues. There are also a handful of Stagefright-specific questions pertaining to how carriers and OEMs responded to the flaw and how many devices were—and remain—vulnerable.

Categories: Government, Mobile Security, Vulnerabilities