FTC whips HTC over poor software coding, developer training and researcher outreach

Share this article:

The American arm of Taiwanese-based Windows and Android smartphone and tablet maker HTC has settled charges with the Federal Trade Commission (FTC) that it failed to secure its device software, which left potentially millions of customers vulnerable to information theft.

The FTC alleged that HTC "failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities, failed to follow well-known and commonly accepted secure coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties," according to a news release on Friday.

The FTC contended that HTC's devices contained a number of vulnerabilities that could have allowed attackers to send text messages, record audio or install data-stealing malware, affecting millions of users. One well publicized incident occurred in October 2011, when HTC confirmed that its Android phones contained a major vulnerability that could be exploited by a third-party to steal personal information from users. Another, last February, involved some HTC mobile devices containing a software bug that could enable miscreants to steal a user's Wi-Fi credentials and network name.

The agency also called out the "insecure implementation" of two pieces of diagnostic and monitoring software – Carrier IQ and HTC Loggers – deemed threats by some security researchers because end-users were not made aware of the applications' behaviors and weren't given the opportunity to opt-out.

In addition, HTC America was accused by the FTC of creating user manuals that contained deceptive wording.

The settlement (PDF) with HTC America requires the company distribute fixes for any outstanding vulnerabilities, as well as establish a "comprehensive security program" and submit to security audits every other year for 20 years. Further, HTC America is barred from "making any false or misleading statements about the security and privacy of consumers' data on HTC devices."

An HTC America spokesperson did not immediately reply to a request for comment.

UPDATE: HTC has released a statement: "Privacy and security are important, and we are committed to improving practices that help safeguard our customers' devices and data. Working with our carrier partners, we have addressed the identified security vulnerabilities on the majority of devices in the U.S. released after December 2010. We're working to roll out the remaining software updates now and recommend customers download them once available."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Kevin Mitnick to sell zero-day exploits

Kevin Mitnick's new venture will develop and procure zero-day exploits, then sell them for $100,000 or more.

FBI warns of potential cyber attacks launched by ISIS hacktivists

Following U.S. military airstrikes in the Middle East, the FBI has issued a warning regarding possible cyber threats aimed at U.S. networks and critical infrastructure by hacktivists in support of ISIS.

Report: 75 million records compromised so far in 2014

Report: 75 million records compromised so far in ...

An updated report indicates that since this time last year, breaches have increased by 29.4 percent, with 568 breaches occurring this year.