HTC Logo

HTC America has settled with the FTC (Federal Trade Commission) over concerns that the company put millions of customer's personal information at risk with insecure implementations of software on its devices. The FTC found that HTC did not take a reasonable amount of care in implementing best coding and security practices when creating software for its devices, having this to say:

"[HTC] failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities, failed to follow well-known and commonly accepted secure coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties."

Those are some pretty strong words for the company, but where it really hits home is the consumer-facing issues that were caused by this lack of oversight. The FTC explains that HTC's implementation of Carrier IQ and HTC Logger on its devices left customer data vulnerable to attack, alongside errors that would let third parties bypass Android's built-in permissions system.

The second part of the FTC's complaint is that it finds HTC was deceptive in telling consumers about the security risks of its software implementations, stating that the device user manuals and interface of the "Tell HTC" app were misleading. Both of these issues in implementation are said to have undermined the normal consent mechanism of Android that would have kept user's data safe.

So what does this mean for HTC? The FTC is requiring that the company develop and release software patches for its devices that are affected with these vulnerabilities, and HTC has said that it has already released some patches at this point. Furthermore, HTC will have to submit to "independent security assessments" every 2 years for the next 20 years. HTC will also be forbidden from making misleading statements about the security of its devices and user's data going forward.

This is a pretty big finding from the FTC, but isn't necessarily uncommon. Although their may not have been widespread exploits that were taking advantage of these security holes, it's important that HTC is going to be making changes to help security going forward. Though we would have preferred if HTC was implementing best practices in the first place, rather than it coming to an investigation by the FTC.

Source: FTC


Reader comments

HTC settles with FTC over insecure implementation of Carrier IQ, HTC Logger


Ok who's next?
Maybe Samsung is too big for the FTC to take on?

Because we all know they were / are installing the same spywhare on their handsets at the carrier's request, just so the carrier didn't have to fess up to installing it themselves.

Hold on there. I'd say that no, Samsung isn't "too big for the FTC to take on", because the scale of the company doesn't limit the FTC's ability to look at popular handsets and determine that they're insecure.

Also, this FTC settlement isn't because HTC was using Carrier IQ. It's because, among other bad security practices, HTC was implementing the Carrier IQ (and HTC Logger) software in a way that was insecure, and then also being misleading about the way it was being implemented. The FTC is fine with Carrier IQ (and the like), assuming that it is being used in a way that doesn't expose the information collected to 3rd parties unnecessarily, and the users are aware of what it's doing.

But users Aren't aware of carrier iq, or what it is doing, even when they click thru the warnings that started to appear only after the Feds made rules about it.

And when rules were changed to require that users were notified about what it does, carriers only had to disclose what software THEY themselves installed.

So all the carriers using Carrier IQ either dropped it, or, simply had it installed at manufacture time so they didn't have to disclose it.

And all the manufacturer's were complicit in this.