FTC Report on Mobile Security Updates Has Lessons for IoT

The Federal Trade Commission (FTC) today released a major report on mobile security update practices. In Mobile Security Updates: Understanding the Issues, the FTC wraps up several engagements and an inquiry undertaken in partnership with the Federal Communications Commission (FCC) into mobile phone security updates. The agency drew from information from and about carriers and manufacturers to identify numerous attributes of the current system and make suggestions for future refinement.

THE LAY OF THE LAND

The FTC characterizes the mobile phone security ecosystem, finding that:

• Because of the complexity of the mobile ecosystem, the security update process can be complex and time-consuming.

• Industry participants have taken steps to streamline the security update process but bottlenecks remain.

• Support periods and update schedules are highly variable.

• Device manufacturers that develop and control their own operating systems tend to commit in advance to longer support periods (usually for several years) for devices.

• Some device manufacturers state that they do not commit to firm update support periods or schedules because they cannot anticipate market conditions.

• Many device manufacturers do not maintain regular records about update support.

• Manufacturers provide little express information about support period, update frequency, and end of update support.

The Report acknowledges that “the mobile ecosystem’s diversity provides extensive consumer choice, but also contributes to security update complexity and inconsistency.” This complexity is driven by the existence of thousands of device variants and the challenges of updating across a diverse set of devices, customized operating systems and carrier networks. IoT promises even more variation.

RECOMMENDATIONS TO THE ECOSYSTEM

The FTC makes several recommendations geared toward manufacturers and the broader smartphone market, which it believes can improve overall security.

• First, the FTC sees an “opportunity for government, industry, and advocacy groups to work together to educate consumers about their role in the operating system update process and the significance of security update support.”

• Second, the FTC sees “an opportunity for industry—device manufacturers, operating system developers, and wireless carriers—to continue their efforts to “start with security” … and ensure that all mobile devices receive operating system security updates for a period of time that is consistent with consumers’ reasonable expectations.”

• Third, the FTC says that companies “involved in the security update process should consider keeping and consulting records about support length, update frequency, customized patch development time, testing time, and uptake rate” and should consider sharing that information with partners.

• Fourth, the FTC urges industry to “continue to streamline the security update process.” The Report encourages companies to “patch vulnerabilities in security-only updates when the benefits of more immediate action outweigh the convenience of a bundled security-functionality update.”

• Finally, the FTC “recommend[s] that device manufacturers consider giving consumers more and better information about security update support.” Here, they have in mind “adopting and disclosing minimum guaranteed security support periods (and update frequency)” and providing “prompt notice when security support is about to end.”

LESSONS FOR THE INTERNET OF THINGS

The FTC’s perspective and recommendations are significant, particularly for those offering connected IoT devices of varied capabilities to consumers and other end users in the future. We offer a few observations from the Report.

Consumer disclosures are top of mind. The FTC’s unmistakable interest in consumer disclosures puts front and center a complex and controversial concept: consumer communications about security updates. This has been studied, for example, at the National Telecommunications and Information Administration (NTIA) in their recent effort on patching, which confirmed that consumer expectations are far from settled and uniform, clear disclosures on security will not be easy.

Against this backdrop, the FTC’s call for broader consumer education is important. Industry and other stakeholders have argued that the nation may need a broader and more effective effort to educate digital citizens. As we face a connected future in which end users may be managing ever more sophisticated devices, they need to understand their responsibilities. Managed IoT services may obviate the need for some consumer action, but the government could streamline the many tips, best practices, and guidelines now competing for consumer attention.

Broader Internet security and perceived externalities make an appearance. The FTC cites examples of malware being used to “turn[] mobile devices into weapons.” The FTC cites only a few instances affecting smart phones, which are relatively free in the United States from malware. But the emphasis on possible national security impacts echoes broader concerns about automated distributed threats, such as botnets, using IoT devices. This has been the subject of government interest in several settings, and it appears the FTC will remain vigilant about these issues. Indeed, in reminding companies that they remain responsible for providing “reasonable security,” the FTC notes that “manufacturers are better positioned than consumers to assess security risks to complex software, particularly where third parties suffer significant harm from attack (e.g., the targets of botnets built from compromised mobile devices).”

CONCLUSION

Security is top of mind for policymakers and enforcement authorities looking to a connected future. Whether it is about mobile phones or other connected devices in the future, the FTC and other regulators will remain interested and ready to step in to protect consumers.