Two federal agencies call on phone company and wireless carriers for answers about slow security updates that leave people at risk.

“Why does it take so long for my phone to get security updates—the updates I need for protection?“

It’s a question Android phone owners have asked for years.

Now, at last, government agencies are asking the same questions, and the makers of Android phones and the carriers that provide wireless service for those devices will have to answer.

“It’s about time!” said one Android user online.

“Exactly!” echoed another.

The Federal Trade Commission sent letters to eight companies—all operating system providers or phone makers—including Samsung, Motorola, LG, HTC, Blackberry, Google, Microsoft, and Apple, asking for details about how the companies decide whether to patch a vulnerability and issue a security update, how long it takes, and what they tell customers about it.

The Federal Communications Commission sent letters to six more companies—wireless carriers—including AT&T, Verizon, T-Mobile, Sprint, US Cellular, and TracFone. The FCC questions follow similar lines.

“Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered,” wrote Jon Wilkins in the FCC letter to carriers.

He said the FCC appreciates efforts company make to address those vulnerabilities. “We are concerned, however, that there are significant delays in delivering patches to actual devices—and that older devices may never be patched,” he added.

Broken system

If you have an Android phone or the mobile device, chances are you don’t get security updates right away, like Apple devices do.

Android device owners complain about security updates taking months to come through, and, in some cases, never coming through at all. That leaves plenty of time for attackers to get through the gaping vulnerabilities and steal your information.

The problem, cybersecurity experts say, is a disjointed system where Google may develop a patch or security update for the Android operating system that has to then go through the device manufacturer, and then the carrier, before it reaches you, the end user.

The many steps can become so time-consuming that the Android update process—and its problems with the ‘Stagefright’ vulnerability—earned itself the title of one of the top five security fiascos of 2015 compiled by some members of the cybersecurity community.

Long before

But the issues with Android updates started long before 2015. The American Civil Liberties Union filed a complaint with the FTC in 2013, saying the major wireless carriers were failing to warn customers about unpatched Android security flaws, and thus engaging in unfair and deceptive business practices.

“Android smartphones that do not receive regular, prompt security updates are defective and unreasonably dangerous,” the complaint said.

“These companies—AT&T, Verizon, Sprint and T-Mobile—have sold millions of smartphones to consumers running versions of Google’s Android operating system,” said the ACLU’s Chris Soghoian at the time. “Unfortunately, the vast majority of these phones never receive critical software security updates, exposing consumers and their private data to significant cybersecurity-related risks.”

“This is in sharp contrast to the norm on the desktop, where Mac and PCs both receive regular security updates directly from Apple and Microsoft,” he explained. “Apple also provides regular security updates to mobile devices, such as the iPad and iPhone.”

Will it change?

Now, three years later, the FTC—and the FCC—are taking action.

“We’re happy that they’re finally looking into it,” Soghoian told Archer News. “Better late than never.”

He said there are major problems with unsecured, out-of-date phones, and companies that have essentially abandoned phone owners by dropping any effort to patch their devices.

“There have been manufacturers of phones who told consumers that they were going to get updates and then they did not,” Soghoian said. “I would expect to see the FTC throw the book at these companies.”

The ACLU complaint in 2013 asked the FTC to provide device refunds to customers if they were not going to provide security patches. 

The new government inquiries could be a step toward some sort of help for customers.

“The main purpose of this, I think, is to create a body of evidence that the agency can rely on if they seek further action, but also just to draw public attention to the issue,” Soghoian said.

Legal issues

This is not the first Android legal issue some companies have faced. 

In 2013, HTC America settled charges that it “failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk,” according to the FTC.

The agency said HTC America did not follow “reasonable and appropriate security practices,” did not give its engineering staff adequate security training, did not do security reviews or tests of the software on its mobile devices, and deceived customers about security, among other problems.

As a result, the FTC said, attackers could compromise millions of HTC phones, send text messages, record audio and install malware, all without the phone owner’s knowledge.

HTC America agreed to create a comprehensive security program, deploy security patches, and not make misleading statements to customers, the FTC said.

“Privacy and security are important,” HTC America said in a statement, according to the New York Times. “And we are committed to improving practices that help safeguard our customers’ devices and data.”

Samsung

A Dutch consumer protection group sued Samsung in January, saying the company has a bad update policy and is guilty of unfair trade practices.

Research showed that 82% of the Samsung phones examined in a survey had not been provided with the latest Android version in the two years after being introduced, the consumer group said,

“On buying a Samsung Android device, consumers are given inadequate information about how long they will continue to receive software updates,” said the group’s director.

“We have made a number of commitments in recent months to better inform consumers about the status of security issues, and the measures we are taking to address those issues,” Samsung said in a statement at the time. “Data security is a top priority and we work hard every day to ensure that the devices we sell and the information contained on those devices are is safeguarded.”

Company responses

Archer News asked the carriers for their response to the FCC’s letter. Several said that the CTIA would provide comment.

The CTIA—formerly known as the Cellular Telephone Industries Association—is a trade group that represents wireless carriers.

“Customers’ security remains a top priority for wireless companies, and there is a very strong partnership among carriers, OS [operating system] providers and OEMs [original equipment manufacturers],” said CTIA’s vice president of technology and cybersecurity John Marinho in a statement on the CTIA site. “As soon as OS providers and OEMs release security updates that are thoroughly tested, carriers deploy and encourage all customers to take advantage of the updates to protect their devices and personal information from cyberthreats.”

Archer News also asked the operating system providers and original equipment manufacturers named by the FTC for a response. Some companies said they are working on providing answers, and Archer News will post those responses as they come in.

Answering to the government

The federal agencies gave the companies 45 days to respond to their requests. That prompted jeers and jokes from some Android users.

“If their response is as slow as update process they will be in trouble,” wrote one user.

“’Uh, well, you see, um, the reasons these updates were delayed are……’” said another. “*Insert exponentially long wait time here*.”

Some worry that companies will try to duck the tough questions, like the FCC’s queries about transparency with customers, such as “Are consumers notified at the time of sale how long security updates will be provided or supported for their device by [Carrier]? Are consumers notified when security updates to their mobile devices are no longer supported?”

“Wonder how AT&T is going to spin this? They have updates from manufacturers…and sit on them,” wrote an Android user on a forum. “Dis gon be good!”

“I doubt this will bother any US carriers,” said another user. “They’ll forward the questions to their legal department, and the responses will be so filled with qualifiers and double-speak to be completely meaningless.”

The FCC said the inquiries will help them better understand the mobile device security ecosystem, so they can make change if needed. The FTC sent letters not just to the companies dealing with Android issues, but also the companies who provide prompt updates. 

Some users say it may take federal action to get the security updates they need.

“I hope they start imposing fines on these lazy OEM’s and the carriers that block security updates,” said one user.

Another added, “I think this can only be a good thing.”