A new Federal Trade Commission report finds that the complexity of the mobile ecosystem means that the security update process for patching operating system software on some mobile devices is intricate and time-consuming. While noting that industry participants have taken steps to streamline the process, the report recommends that manufacturers consider taking additional steps to issue more security updates to user devices faster. It also recommends that manufacturers consider telling users how long a device will receive security updates and when update support will end.
The report’s findings are based chiefly on information the FTC requested in May 2016 from eight mobile device manufacturers about how they issue security updates. The findings also build on information that the Federal Communications Commission requested from wireless carriers about their security updates practices. The manufacturers include: Apple, Inc.; BlackBerry Corp.; Google, Inc.; HTC America, Inc.; LG Electronics USA, Inc.; Microsoft Corp.; Motorola Mobility, LLC; and Samsung Electronics America, Inc.
Cybersecurity researchers and government agencies often emphasize the importance of installing security updates as soon as they are available because they patch vulnerabilities in a device’s operating system that are well known by hackers and criminals. Many of these devices, however, remain without important security updates for long periods because an update is not issued at all, because approving and deploying a patch is a lengthy process, or because users do not install available updates.
The FTC report examines certain manufacturers’ security update practices and offers recommendations on how to improve the security update process. Recognizing that consumers use their mobile devices for a wide range of activities, including financial transactions and obtaining government services, the FTC says consumers must have confidence that when they use their devices their personal information will remain secure.
“Our report found, however, significant differences in how the industry deploys security updates and that more needs to be done to make it easier for consumers to ensure their devices are secure,” said Tom Pahl, acting director of the FTC’s Bureau of Consumer Protection.
A significant finding of the report is that support periods, the time during which a device receives operating system updates, and update frequency vary widely, even among devices that cost the same, are made by the same company, or are serviced by the same carrier. A device may receive security updates for many years — or, in some instances, may not receive any updates at all.
Devices with robust support are available but can be hard to identify because manufacturers tend to make little information about support periods available before purchase, according to the FTC report.
The FTC report offers several recommendations on ways to improve the security update process:
- Government, industry and advocacy groups should work together to educate consumers about their role in the update process and the criticality of making sure their devices are up-to-date with the latest cybersecurity patches.
- Industry should build security into its support culture and further embed security support considerations into product design that is consistent with the costs and benefits of doing so. To that end, industry should ensure that devices receive security updates for a period of time consistent with consumers’ expectations.
- Manufacturers should consider keeping better records about update decisions, support length, update frequency, and update acceptance so that they can learn from their past practices.
- Companies should continue to streamline the security update process. In particular, manufacturers should consider issuing security-only updates instead of bundling security patches with periodic general software updates.
- Manufacturers should consider adopting and disclosing minimum guaranteed support periods for their devices and notifying consumers when support is about to end.
The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357).