Security vulnerabilities menace privacy of millions of HTC devices
By Pierluigi Paganini, Editor-in-Chief
The Federal Trade Commission has recently published a notice advisory titled “HTC America Settles FTC Charges It Failed to Secure Millions of Mobile Devices Shipped to Consumers” that charged Taiwanese HTC company to have sold mobile devices affected by serious security flaws.
The commission alerted on the presence of security vulnerabilities in more than 18 million devices that could expose users to serious risks, an attacker in fact could exploit the flaws to theft information stored on the mobile, track user’s location and obtain remote control of victims to send text messages ot enable microphone to record the user’s phone calls.
“Mobile device manufacturer HTC America has agreed to settle Federal Trade Commission charges that the company failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk.
The settlement requires HTC America to develop and release software patches to fix vulnerabilities found in millions of HTC devices. In addition, the settlement requires HTC America to establish a comprehensive security program designed to address security risks during the development of HTC devices and to undergo independent security assessments every other year for the next 20 years.” states the public notice from The Federal Trade Commission.
Mobile security is considered a top priority for governments and private companies, mobile devices use in workplace and on day life are exceeding the number of desktop PCs and great variety of services is being offered on mobile platforms.
The principal issue denounced by The Federal Trade Commission is that both Android and Windows phones commercialized by HTC let installation of applications that could steal personal information and that allow attackers to obtain remote control of victims.
It’s not first time that HTC is charged for leak of a proper security level, the bugs were known since 2011, and despite HTC developed software patches to fix them similar problems still persist.
The flaws are introduced by the Taiwanese firms during customization of OSs offered by HTC, the company preinstalled certain apps in a way that, in addition to preventing consumers from removing them, disabled the permission-based model and allowed newly installed apps to have immediate access to personal data.
“To illustrate the consequences of these alleged failures, the FTC’s complaint details several vulnerabilities found on HTC’s devices, including the insecure implementation of two logging applications – Carrier IQ and HTC Loggers – as well as programming flaws that would allow third-party applications to bypass Android’s permission-based security model. Due to these vulnerabilities, the FTC charged, millions of HTC devices compromised sensitive device functionality, potentially permitting malicious applications to send text messages, record audio, and even install additional malware onto a consumer’s device, all without the user’s knowledge or consent. ”
In 2011 Carrier IQ was involved in a clamorous case occurred, the company produced an application capable of monitoring the use of the communication device without the user can notice it.
Trevor Eckhart demonstrated in a video published on YouTube that software from Carrier IQ recorded in real time, every action made on the mobile which he had reset to factory settings prior to the test. Using a packet sniffer he demonstrated that despite his device was in airplane mode each numeric tap and every text message receive were logged by the software.
Having found the application, Carrier IQ motivated the discovery citing unconvincing reasons, it declared that the distributed application is being used exclusively for remote maintenance. Officially there was no real spy intent nor the company maintains and analyzes the information gathered.
The company provided a prompt response issuing a series of patches to fix the according the revelations of The New York Times, an HTC official spokesman announced that the Taiwanese form had taken all the necessary steps for fix the flaws updating software of some the affected mobiles, but not all for the moment.
“Working with our carrier partners, we have addressed the identified security vulnerabilities on the majority of devices in the U.S. released after December 2010,” Sally Julien, an HTC “We’re working to roll out the remaining software updates now and recommend customers download them once available.”
“Privacy and security are important,” the statement added, “and we are committed to improving practices that help safeguard our customers’ devices and data.”
The accusations against the Taiwanese manufacturer are mainly related to the lack of implementation of security requirements, Lesley Fair, a senior lawyer in the commission’s Bureau of Consumer Protection declared:
“HTC didn’t test the software on its mobile devices for potential security vulnerabilities, didn’t follow commonly accepted secure coding practices and didn’t even respond when warned about the flaws in its devices.”
The article posted on NYT also added that:
“HTC’s user manuals either said or implied that a user was protected against malware because of the permission-based security”
In the next 30 days the commission will collect public comments on the proposed remedies after which it will decide whether to formally proceed with the the order.