As the amount of data on mobile devices, and through applications on those devices, continues to rise exponentially, unsurprisingly, mobile devices are increasingly fertile grounds for cyberattacks – particularly where mobility meets IoT in the fast-paced world of connected devices. Against this backdrop, the U.S. Federal Trade Commission recently issued a 134-page report titled Mobile Security Updates: Understanding the Issues (the “Report”).

In its Report, the FTC notes twin requirements of reasonable security in the mobile online ecosystem: secure product design and timely/effective software patching. Focusing on the second requirement, the Report analyzed submissions from eight major mobile-device manufacturers in response to an earlier FTC request for information.

Bottom-line, although industry participants have made progress in the complex and tedious software-security “update” process, there remain significant areas for improvement.

The Report notes that device manufacturers appear to approach the security-update process on an ad-hoc basis, taking into account a variety of different criteria in pushing out patches, including the age, popularity, and price of a particular device; support costs; the level of involvement of key partners in the process (e.g., operating-system developers and mobile carriers); prioritizing based on the severity of vulnerability; and timing of the manufacturer’s next regularly scheduled update, if any.

This multi-factor decision model results in highly variable and uncertain support periods and update schedules. The FTC further concludes that manufacturers generally do not maintain regular records about updates and, consequently, do not analyze past experience in order to increase efficiencies in this area. Finally, many manufacturers are not educating users about update support, leaving people uncertain about what actions to take and the importance of applying updates.

Based on these findings, the Report identifies five areas for improvement by industry participants across the mobile security ecosystem, which comprise only the beginning of a serious conversation that industry needs to have as IoT and connected devices continue to progress –

(1) Educate users about the importance of security updates and the critical role that users play in ensuring security;

(2) Continue the effort to build security directly into product design and updating processes, including creating written patching protocols to reduce the ad-hoc nature of current decision-making;

(3) Collect and share information on update support to develop a historic and comprehensive view of trends and issues;

(4) Streamline the security-update process, including bundling or unbundling, as appropriate, security updates from functional updates, testing and deployment; and

(5) Specifically for mobile-device manufacturers, provide users with more and better information about update support, including clearly communicating guaranteed support periods, expected update frequencies, and end-of-support schedules.

The Report concludes with steps that can be taken to assist in meeting security expectations and to mitigate potential security gaps. While mobile and IoT device makers should pay close attention – others in the mobile and connected devices ecosystem should also be aware of these strategies as they engage in R&D, development, and other opportunities.

(1) Consider patching critical vulnerabilities through security-only updates. Bundled updates usually take longer to develop and test, delaying deployment.

(2) Consider patching critical vulnerabilities on older or cheaper device models; alternatively, notify users when devices are no longer supported. Similarly, because users may purchase refurbished or older devices, users should be informed upon purchase as to the level of support being offered by the manufacturer; absent clear information on end-of-support, consumers may assume that critical vulnerabilities will be patched during the duration of a device’s usability.

(3) Because users may have different security expectations depending on the price of a device, manufacturers should clearly describe patching and updating policies across product lines.

(4) Finally, mobile carriers should watch out for disparities in update frequency or timeliness relative to other carriers, especially for identical devices. The same patch from a manufacturer deployed much later by one carrier than another, for example, may confuse users regarding the protections available to them.

Given that the IoT and connected devices are inherently about connectivity and integration, they provide broader and deeper attack surfaces to the bad guys. As one commentator recently wrote: “For careless operators, an IoT-connected device could lead to breaches bigger and more invasive than we’ve ever seen.”

Part of the solution is in proactive risk identification and planning – a process that the FTC’s recent Report helps to move along.

– Tony Kim