FTC whips HTC over poor software coding, developer training and researcher outreach

Share this article:

The American arm of Taiwanese-based Windows and Android smartphone and tablet maker HTC has settled charges with the Federal Trade Commission (FTC) that it failed to secure its device software, which left potentially millions of customers vulnerable to information theft.

The FTC alleged that HTC "failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities, failed to follow well-known and commonly accepted secure coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties," according to a news release on Friday.

The FTC contended that HTC's devices contained a number of vulnerabilities that could have allowed attackers to send text messages, record audio or install data-stealing malware, affecting millions of users. One well publicized incident occurred in October 2011, when HTC confirmed that its Android phones contained a major vulnerability that could be exploited by a third-party to steal personal information from users. Another, last February, involved some HTC mobile devices containing a software bug that could enable miscreants to steal a user's Wi-Fi credentials and network name.

The agency also called out the "insecure implementation" of two pieces of diagnostic and monitoring software – Carrier IQ and HTC Loggers – deemed threats by some security researchers because end-users were not made aware of the applications' behaviors and weren't given the opportunity to opt-out.

In addition, HTC America was accused by the FTC of creating user manuals that contained deceptive wording.

The settlement (PDF) with HTC America requires the company distribute fixes for any outstanding vulnerabilities, as well as establish a "comprehensive security program" and submit to security audits every other year for 20 years. Further, HTC America is barred from "making any false or misleading statements about the security and privacy of consumers' data on HTC devices."

An HTC America spokesperson did not immediately reply to a request for comment.

UPDATE: HTC has released a statement: "Privacy and security are important, and we are committed to improving practices that help safeguard our customers' devices and data. Working with our carrier partners, we have addressed the identified security vulnerabilities on the majority of devices in the U.S. released after December 2010. We're working to roll out the remaining software updates now and recommend customers download them once available."

Share this article:

Sign up to our newsletters

More in News

AOL Mail hack furthers spam campaign using spoofed accounts

AOL confirmed on Monday that it was aware of the issue and working to remediate the situation.

Backdoors in Wi-Fi routers, said to be closed, can be reopened

Backdoors in Wi-Fi routers, said to be closed, ...

Although said to be patched, researcher Eloi Vanderbeken discovered during the Easter holiday that backdoors existing in certain wireless routers can be reactivated.

Apple ships Mac OS X updates, fixes several code execution bugs

Apple ships Mac OS X updates, fixes several ...

Among the addressed vulnerabilities, was a bug affecting WindowServer, which could allow an attacker to execute malicious code outside the sandbox.