Apple, Google questioned over security patches
Apple and Google will be questioned by U.S. regulators over how they patch security flaws.
The Federal Communications Commission and Federal Trade Commission sent letters to the two Silicon Valley-based companies in addition to BlackBerry, HTC America, LG Electronics USA, Microsoft, Motorola Mobility and Samsung Electronics, according to Bloomberg. The regulators want to know how the companies release security updates to prevent hackers from breaching devices. Similar letters were also sent to mobile carriers such as AT&T, Verizon Communications, T-Mobile, Sprint, U.S. Cellular and TracFone Wireless.
“As consumers and businesses turn to mobile broadband to conduct ever more of their daily activities, the safety of their communications and other personal information is directly related to the security of the devices they use,” the government agencies wrote in a statement.
The statement continued, “Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered. To date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices — and older devices may never be patched.
The inquiry comes in the wake of several vulnerabilities that exposed security issues in both Android and iOS devices over the past year. Last summer, Android devices were threatened with the Stagefright virus, which would have allowed hackers to take over an Android device with a text message. Another study revealed that almost 87 percent of Android devices are exposed to security bugs due to Android handset makers’ failure to deliver patches. Google promised to update Android security more regularly following the discoveries.
The FBI/Apple fallout over encryption and backdoors caused some to point out that Apple’s l ack of a bug bounty program may leave it vulnerable to hackers looking for a payout. While companies like Google, Microsoft, Facebook and Twitter pay third-party hackers to turn over bugs in their products and services, Apple offers only a congratulations on its website.
The FBI was able to use a third party to crack into the iPhone in the recent case of a San Bernardino shooter and did not disclose the weakness to Apple. Earlier this year, Johns Hopkins University researchers discovered another weakness in Apple’s encryption which allows hackers to decrypt photos and videos sent by iMessage, according to the Washington Post.
The FCC and FTC are asking the notified companies to list the mobile devices they’ve offered for sale in the U.S. since August 2013, the vulnerabilities associated with the devices and whether or not they’ve offered patches.
Source | BizJournals