The FCC and the Federal Trade Commission are joining forces to look into how carriers, phone vendors and others review and release security updates for mobile devices.
Jon Wilkins, who oversees the FCC's Wireless Telecommunications Bureau, sent a letter to six mobile carriers asking about their processes and policies for patching security flaws, and the FTC simultaneously ordered eight manufacturers to provide information on how they issue security updates for smartphones, tablets and other devices.
Verizon, AT&T, T-Mobile, Sprint, U.S. Cellular and TracFone all received letters, an FCC spokesman said. Other recipients reportedly include HTC, LG, Microsoft, Motorola Mobility, Samsung, and Alphabet's Google.
The FCC's announcement of the probe cites "a growing number of vulnerabilities" associated with mobile operating systems, and it specifically names Stagefright, a group of bugs that emerged last summer and affects recent versions of Android. The bugs enable attackers to target Android phones via text message, and several patches from multiple companies have failed to fully contain it.
Nearly 1 billion Android devices around the world may be vulnerable to Stagefright, according to the FCC's announcement.
The FCC in 2012 released a "smartphone security checker" that included tips on creating passwords, backing up data and information on how to report a stolen phone. More recently, the commission said it was looking into the use of SS7, a mobile network technology with a vulnerability that allows hackers to access others' wireless data using nothing but a phone number.
"Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered," the FCC said in a press statement announcing the inquiry. "To date, operating system providers, original equipment manufacturers, and mobile service providers have responded to address vulnerabilities as they arise. There are, however, significant delays in delivering patches to actual devices – and that holder devices may never be patched."
The FCC said responses to its letters will be shared with the FTC and will "inform discussions with industry about possible solutions."
- see the FCC's press release
Security flaw in SS7 triggers FCC review, call for carrier action
U.S. carriers mum on 60 Minutes report on vulnerability in SS7
Report: SS7 still vulnerable more than a year after hack first reported
AT&T confirms data breach as hackers hunted for codes to unlock phones
Verizon, AT&T, Sprint and T-Mobile say customers are protected from Heartbleed bug
Verizon, AT&T, Sprint, T-Mobile and U.S. Cellular agree to new cell phone unlocking rules