FTC's Mobile Security Updates and Recommendations on Mobile Device Security

By Special Guest
John Warnagiris, Senior Project Manager, The Teneo Group
March 19, 2018

On February 28, 2018 the Federal Trade Commission (FTC) issued a report on security of Mobile Devices. The report focused on patch updates and their policies, risks for the complex ecosystem, and recommendations for improved security. The 136 page report can be found on the FTC.gov website.

A press release accompanied the report calls for more education for security of mobile devices. In the release, Acting Director of the FTC’s Bureau of Consumer Protection, Tom Pahl points to “significant differences in how the industry deploys security” and “that more needs to be done.”

The following is a high-level summary and commentary on this issue. In Teneo’s opinion, the lessons learned from this report apply to any wireless-enabled device, including consumer smartphones, corporate-owned devices, Internet of Things (IoT), watches, glasses and tablets.

Diverse Ecosystem with Complex and Inconsistent Security

Although the bulk of mobile devices are manufactured by eight global companies, there are a staggering amount of variations by platform, brand and carrier. All of these devices can be operating customized operating systems with little or no version control.

The FTC report points out “consumers can choose from thousands of different device-service combinations at a wide variety of price points.” However, these options come at the cost of security. “Operating system customization at the device level can prevent uniform security patch application, increase the time and cost to develop, test, and deploy security updates, and may lead to shorter update support periods and less frequent updates.”

Uncertain Security Updates

With such a complex ecosystem, security patches and updates are difficult to verify and control.  The current environment relies on several stakeholders to be successful in performing their roles: developers, manufacturers, carriers and device owners. 

  • If the best patched OS is never installed by the owner, the device is at risk.
  • If the carrier delays in reviewing and balks at security update because it can break some of its apps, the device is at risk.
  • If the manufacturer’s attention is on the newest, greatest release, and the older version isn’t getting updated as often, the device is at risk.
  • When you add into the equation the apps on the device, the frequency of their updates, and whether they are supported at all, the security of these devices should be a concern for serious network professionals.

All of these risk factors increase as the number of users on your network grows.

Time to Update

The FTC also looked at the support data from each device manufacturer. The report reaches a clear conclusion that variation in update support periods is the norm, adding that “about a quarter of the devices were supported for less than one year” and that “some devices are sold after update support has ended.”

The report goes on to look at the time to release a patch for a known vulnerability and finds, not surprisingly, that newer devices are patched faster than older devices.  The more popular the device, the more quickly it is patched and, for new operating systems, “although many vulnerabilities were patched within 250 days, it took much longer to patch many vulnerabilities.”

This lack of certainty puts even the best security professionals in a difficult position. As one of the fundamental tenants of network security, you need to know and trust the devices on your network. How can you trust a device with these flaws?


Some of the risks the FTC’s report focuses on include:

  • Mobile Malware: Bad actors have been increasing their attention on mobile and their attacks have been rising with a 400 percent increase in 2016, according to Pew Research;
  • Extorted money: From ransomware attacks at $100 - $300 per device;
  • Spyware & Phishing: Harvested financial information, passwords, banking information and passwords;
  • Hidden Malware: Hidden in 200 recreational apps that turn devices into a backdoor to networks; and
  • SMS attacks: SMS attacks have unsuspecting device owners subscribing to services for a fee.

Although these examples may seem like an inconvenience – and they are – they are a large and real threat for network security professionals. Compromised devices are the foothold the threat actors use to establish a presence, harvest information, gain intelligence on their targets, and identify their weakness. They may sell that information or deliver a payload that is customized for their target.

Although the report did not reference this recent incident specifically, the University of Virginia Heath System’s breach, was determined to be caused by physician devices that were infected with malware. This incident confirms the FTC’s security fears.  Not only are the attacks happening, but they are going undetected for months, if not years.


The FTC makes several recommendations to improve the security of mobile devices.

  • Education – The role and the need for security on mobile devices;
  • Start with Security – The mobile ecosystem has already proven itself adept at starting with security in number of ways, such as implementing physical security controls, sandboxing, and encryption for mobile devices and data;
  • Shared Responsibility – Between manufactures, carriers and developers to share reasonable security update support;
  • Learn from the Past – The industry should consider recording more data in a more careful way;
  • Adjust the Security Update Process – Continue to streamline the security update process, from patch development through deployment; and
  • Embrace Greater Transparency – Manufacturers should consider providing consumers with more and better information about their security update support practices.


The FTC’s report sheds good light on the issue of the Security of the Mobile Devices. For network professionals, this threat has been known, but it always something that was on the horizon. Today, that threat is on top of us and can no longer be ignored.

Before the original iPhone’s debut in 2007, most data was accessed by your endpoint, via your wire to your data center. Today, that same data is accessed via the cloud on a foreign network with a BYOD device. Mobile devices, cloud computing, and the perimeter-less networks demand different tools to properly secure the network.

Today’s network security professional demands the tools that can help identify and trust the device regardless of how they are accessing your data. These tools help regain visibility into the network so that the network is more secure.

What is your opinion? What steps do you secure your network with these security holes?

If you have any questions or need clarification on how to best secure your mobile devices (regardless of OS, manufacturer, carrier, owned or BYOD) reach out to me or your Teneo engineer for assistance.

About the Author: John Warnagiris is a Green Belt, PMP and the Senior Project Manager at The Teneo Group where he oversees Client Relations, Business Development, and Marketing. He combines his understanding of Six Sigma & PM along with 30+ years of practical leadership experience to help achieve their mission of securing the networks and data of their clients.

Edited by Erik Linask

Related Articles

Compliance: Hope Is Not a Plan

By: Special Guest    8/1/2018

Internal misalignment between compliance and business teams can lead to major problems for organizations seeking to implement new digital communicatio…

Read More

Modern Moms Shaping Influence

By: Maurice Nagle    7/19/2018

Everyone knows Mom knows best. The internet is enabling a new era in sharing, and sparking a more enlightened, communal shopping experience. Mommy blo…

Read More

Why People Don't Update Their Computers

By: Special Guest    7/13/2018

When the WannaCry ransomware attacked companies all over the world in 2017, experts soon realized it was meant to be stopped by regular updating. Even…

Read More

More Intelligence About The New Intelligence

By: Rich Tehrani    7/9/2018

TMC recently announced the launch of three new artificial intelligence events under the banner of The New Intelligence. I recently spoke with TMC's Ex…

Read More

Technology, Innovation, and Compliance: How Businesses Approach the Digital Age

By: Special Guest    6/29/2018

Organizations must align internally to achieve effective innovation. Companies should consider creating cross-functional teams or, at a minimum, incre…

Read More