News Column

HTC Admits Security Flaws in US Civil Case Settlement

Feb 25, 2013

Edward Wyatt

As part of a settlement with the U.S. Trade Commission, the Taiwanese electronics company has agreed to fix security breaches on its smartphones.

More than 18 million smartphones and other mobile devices made by HTC, a Taiwanese company that is one of the largest sellers of smartphones in the United States, had security flaws that could allow location tracking of users against their will and the theft of personal information stored on their phones, U.S. government officials have said.

The Federal Trade Commission charged HTC with customizing the software on its Android- and Windows-based phones in ways that let third-party applications install software that could steal personal information, surreptitiously send text messages or enable the device's microphone to record the user's phone calls.

The action is the first attempt by the commission to police a manufacturer of mobile devices.

HTC America, based in Bellevue, Washington, agreed to settle the civil suit with the commission by issuing software patches that close the security holes and by creating a security program that will be monitored by an independent party for the next 20 years. The F.T.C. does not have the authority to assess fines in consumer protection cases.

"The company didn't design its products with security in mind," Lesley Fair, a senior lawyer in the commission's Bureau of Consumer Protection, wrote in a blog post on Friday. "HTC didn't test the software on its mobile devices for potential security vulnerabilities, didn't follow commonly accepted secure coding practices and didn't even respond when warned about the flaws in its devices."

An HTC official said Friday that the company had already started to update its software. "Working with our carrier partners, we have addressed the identified security vulnerabilities on the majority of devices in the U.S. released after December 2010," Sally Julien, a spokeswoman, said in a statement. "We're working to roll out the remaining software updates now and recommend customers download them once available."

The trade commission charged that the security flaws had resulted from HTC's modifying the operating system software used on most of the affected phones. In the case of Android, created by Google, the system is designed to protect sensitive information and phone functions through what is known as a permission-based security model.

That requires a user, when installing an application that is not a standard part of the operating system, to be notified and to agree that the application could gain access to certain information or functions. HTC, however, preinstalled certain apps on its phones in a way that disabled the permission-based model.

"The analogy isn't exact," wrote Ms. Fair of the F.T.C., "but it's like giving a friend the combination to a safe, only to find out he's handing it over to anyone who asks."

Flaws in the security system could also give third-party apps access to phone numbers, browsing history and information like credit card numbers and banking transactions. Those flaws also affected HTC phones that used Windows-based operating systems.

The flaw in the company's phones has been known since at least 2011. HTC acknowledged the problems at that time and developed software patches for some of the deficiencies that year.

But the problems were far from minor. The F.T.C. said that text- message toll fraud, in which a hacker causes a phone to send text messages to a number that charges the user for delivery of the message, "is one of the most common types of Android malware."

The commission will collect public comments on the proposed remedies for 30 days, after which it will decide whether to carry out the order formally. If HTC subsequently violated the order's restrictions and requirements, it would face civil penalties of as much as $16,000 a violation.

Source: (C) 2013 International Herald Tribune. via ProQuest Information and Learning Company; All Rights Reserved

Story Tools Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters