Washington, DC - A new Federal Trade Commission report finds that the complexity of the mobile ecosystem means that the security update process for patching operating system software on some mobile devices is intricate and time-consuming. While noting that industry participants have taken steps to streamline the process, the report recommends that manufacturers consider taking additional steps to get more security updates to user devices faster. It also recommends that manufacturers consider telling users how long a device will receive security updates and when update support is ending.
The report is based primarily on information the FTC requested in May 2016 from eight mobile device manufacturers – Apple, Inc.; Blackberry Corp.; Google, Inc.; HTC America, Inc.; LG Electronics USA, Inc.; Microsoft Corp.; Motorola Mobility, LLC; and Samsung Electronics America, Inc. – about how they issue security updates. It also builds on information that the Federal Communications Commission requested from wireless carriers about their security updates practices.
Security researchers and government agencies agree that it is important to install security updates that patch vulnerabilities in the device’s operating system. Many of these devices, however, remain without important security updates for long periods– either because no update is issued at all, because approving and deploying a patch is a lengthy process, or because users do not install available updates. The FTC report examines certain manufacturers’ security update practices and offers recommendations on how to improve the security update process.
“Consumers use their mobile devices for a wide range of activities and want to have confidence that when they use them they will be secure,” said Acting Director of the FTC’s Bureau of Consumer Protection Tom Pahl. “Our report found, however, significant differences in how the industry deploys security updates and that more needs to be done to make it easier for consumers to ensure their devices are secure.”
A key finding of the report is that support periods, the time during which a device receives operating system updates, and update frequency vary widely, even among devices that cost the same, are made by the same company, or are serviced by the same carrier. A device may receive security updates for many years – or, in some instances, may not receive any updates at all.
Devices with robust support are available but can be hard to identify because manufacturers tend to make little information about support periods available before purchase.
The FTC report offers several recommendations on ways to improve the security update process:
- Government, industry and advocacy groups should work together to educate consumers about their role in the update process and the significance of updates.
- Industry should build security into support culture and further embed security support considerations into product design, consistent with the costs and benefits of doing so. To that end, industry should ensure that devices receive security updates for a period of time consistent with consumers’ expectations.
- Manufacturers should consider keeping better records about update decisions, support length, update frequency, and update acceptance so that they can learn from their past practices.
- Companies should continue streamlining the security update process. In particular, manufacturers should consider issuing security-only updates instead of bundling security patches with general software updates.
- Manufacturers should consider adopting and disclosing minimum guaranteed support periods for their devices and notifying consumers when support is about to end.
The Commission vote approving the report was 2-0.