HTC America’s settlement with the U.S. Federal Trade Commission on Friday has the potential to revamp not only how hardware manufacturers handle the security and privacy of mobile devices, but how carriers do so, as well.
“In many ways, this settlement is a shot across the bow of the handset and wireless industry and their practice of selling and abandoning devices after a few months,” said activist Chris Soghoian, principal technologist and senior policy analyst with the American Civil Liberties Union. “If I’m in those businesses, I’m seriously looking at this settlement.”
The settlement comes in response to charges that HTC was putting the security and privacy of its customers at risk by failing to address vulnerabilities in its devices that could expose consumers to malware attacks, fraud, the loss of personal and sensitive information, and even physical harm. The charges allege that HTC was not providing regular security patch updates to devices, which would leave consumers open to any number of intrusions by attackers, including text message toll fraud, surreptitious recording of phone calls, interception of personal data transmitted via the devices, and even the ability for a third party to physically track or stalk individuals, the complaint against HTC said.
“HTC failed to employ reasonable and appropriate security practices in the design and customization of the software on its mobile devices. HTC’s practices caused, or are likely to cause, substantial injury to consumers that is not offset by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers,” the complaint says. “This practice was, and is, an unfair act or practice.”
The unfairness allegation, Soghoian said, is the key count against HTC, which also was charged with two allegations of deception. By alleging unfairness, the FTC would not have to prove that a deceptive practice was in place that could cause harm or likely harm.
“That’s a big deal. Normally, the FTC would be going after them for lying, but here, HTC did not need to make a false statement,” he said. “The FTC opened the door to going after other handset vendors and wireless carriers for not securing devices consumers are using.”
FTC investigations are confidential until there is a resolution in a case, meaning that there could be investigations open already against other handset makers and carriers.
HTC, meanwhile, is first on the chopping block. The settlement will force the company to develop and release software patches for vulnerabilities in its devices. It must also establish a comprehensive security program that addresses risk during the development of its devices. It must also submit to biennial independent security assessments for 20 years. The FTC also pointed out that HTC engineers were not adequately trained in secure development practices, that they failed to review or test devices for security vulnerabilities and that the company failed to establish a mechanism for accepting vulnerability reports from the industry.
HTC representative Sally Julien told Reuters that HTC had addressed any identified vulnerabilities on devices built and sold after December 2010. “We’re working to roll out the remaining software updates now and recommend customers download them once available,” she said.
In addition to the lack of patches and secure development practices, HTC was taken to task for the presence of a custom Android app that could download third-party applications, but without a permission check that would protect it from exploitation. Attackers could use the custom app to download malware or other malicious code without the user’s knowledge or consent. Users were also never made aware of the presence of the app or its capabilities.
The FTC also pointed out a pair of insecure communications mechanisms used to dialogue with logging applications that are used by carriers to diagnose issues on their networks. The FTC pointed out the installation of the HTC Loggers troubleshooting tool on 12.5 million Android devices, a tool that collected sensitive information from device logs. The FTC said this tool undermined the Android permission-based security model, and said the communication mechanism could be exploited and the data it collected exposed. The second was the Carrier IQ diagnostics software present on more than 10 million Android devices and 330,000 Windows phones built by HTC. It was determined that data collected by the software was also open to exploitation.
Rep. Ed Markey (D-MA) said in a statement the FTC sent a signal to the mobile market that the security of personal data must be enforced.
“Consumers should know and have the ability to say ‘No’ to software on their mobile devices that is surreptitiously sending their personal data,” Markey said. “I introduced legislation last Congress to provide greater transparency into the sending of consumers’ personal information and empower consumers to prevent such transfer.” Markey said he plans to reintroduce the bill this Congress.
“I don’t think HTC had security as a core value after reading this compliant,” Soghoian said. “It’s not like they’re going to develop security religion overnight. Look at Microsoft, it took a letter from the CEO and years of work to train engineers to the point where it delayed the release of Windows Vista. HTC had not seen the light; it looks like they’ll have to change the way they do business.”
Soghoian took wireless carriers to task during a presentation at the recent Kaspersky Lab Security Analyst Summit for their unwillingness to provide regular device updates, and asked carriers such AT&T, Verizon, Sprint and T-Mobile to reverse their practices or cede control to Google, which maintains the Android code base. Soghoian called the situation a crisis, illustrating his point with evidence that updates are pushed to devices at the discretion of the carrier and-or hardware manufacturer. He said that’s not often because when Google updates Android, engineers at the respective carrier or device maker have to modify the update for each device that relies on the OS, thus thinning potential profit. Instead, he said engineers are usually focused on the next rev of a device, rather than patching what’s in circulation already.
Friday’s settlement could force the vendors to do an about-face.
“The carriers know things are bad, but they have taken advantage of the fact that consumers don’t know how bad it is; they think their phones are updated just as their computers are,” Soghoian said. “The climate is changing with regard to cybersecurity in Washington, and agencies are looking for things to show how they’re improving security. I think the wireless carriers are going to have a gigantic target on their backs. The update practices of the carriers are embarrassing. Hopefully this is not the last action we’ll see.”