Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

FTC whips HTC over poor software coding, developer training and researcher outreach

The American arm of Taiwanese-based Windows and Android smartphone and tablet maker HTC has settled charges with the Federal Trade Commission (FTC) that it failed to secure its device software, which left potentially millions of customers vulnerable to information theft.

The FTC alleged that HTC "failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities, failed to follow well-known and commonly accepted secure coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties," according to a news release on Friday.

The FTC contended that HTC's devices contained a number of vulnerabilities that could have allowed attackers to send text messages, record audio or install data-stealing malware, affecting millions of users. One well publicized incident occurred in October 2011, when HTC confirmed that its Android phones contained a major vulnerability that could be exploited by a third-party to steal personal information from users. Another, last February, involved some HTC mobile devices containing a software bug that could enable miscreants to steal a user's Wi-Fi credentials and network name.

The agency also called out the "insecure implementation" of two pieces of diagnostic and monitoring software – Carrier IQ and HTC Loggers – deemed threats by some security researchers because end-users were not made aware of the applications' behaviors and weren't given the opportunity to opt-out.

In addition, HTC America was accused by the FTC of creating user manuals that contained deceptive wording.

The settlement (PDF) with HTC America requires the company distribute fixes for any outstanding vulnerabilities, as well as establish a "comprehensive security program" and submit to security audits every other year for 20 years. Further, HTC America is barred from "making any false or misleading statements about the security and privacy of consumers' data on HTC devices."

An HTC America spokesperson did not immediately reply to a request for comment.

UPDATE: HTC has released a statement: "Privacy and security are important, and we are committed to improving practices that help safeguard our customers' devices and data. Working with our carrier partners, we have addressed the identified security vulnerabilities on the majority of devices in the U.S. released after December 2010. We're working to roll out the remaining software updates now and recommend customers download them once available."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.