HTC Settles Charges It Failed to Secure Millions of Mobile Devices
Earlier this week we posted an entry about the FTC's recently released staff report on mobile payment systems, Paper, Plastic... or Mobile? An FTC Workshop on Mobile Payments. A recent settlement with HTC America, a major mobile device manufacturer, illustrates that the FTC's interest in securing such payment systems isn't just academic.
Late last month HTC agreed to settle FTC charges that the company failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk. The settlement requires HTC to develop and release software patches to fix vulnerabilities found in millions of HTC devices. In addition, the settlement requires HTC to establish a comprehensive security program designed to address security risks during the development of HTC devices and to undergo independent security assessments every other year for the next 20 years.
HTC develops and manufactures mobile devices based on the Android, Windows Mobile, and Windows Phone operating systems. In order to differentiate HTC devices in the market, and to comply with the requirements of mobile network operators, HTC customized some of the software on its devices. The FTC alleged that HTC failed to employ reasonable and appropriate security practices in the design and customization of the software on its devices. Among other things, the FTC's complaint alleged that HTC failed to provide its engineering staff with adequate security training, failed to review or test the software on its devices for potential security vulnerabilities, failed to follow well-known and commonly accepted secure coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties.
As a result, the FTC alleged that HTC introduced numerous security vulnerabilities in the process of customizing its devices. Once in place, HTC failed to detect and mitigate these vulnerabilities, which, if exploited, could have provided third-party applications with unauthorized access to sensitive information and sensitive device functionality. The sensitive device functionality potentially exposed by the vulnerabilities includes the ability to send text messages without permission, the ability to record audio with the device's microphone without permission, and the ability to install other applications, including malware, onto the device without the user's knowledge or consent. The complaint alleges that malware placed on consumers' devices without their permission could be used to record and transmit information entered into or stored on the device, including financial account numbers and related access codes or personal identification numbers. In addition, other sensitive information potentially exposed by the vulnerabilities includes location information, the contents of text messages, and the user's web and media viewing history.
The FTC noted that its settlement with HTC is part of its ongoing effort to ensure that companies secure the software and devices that they ship to consumers.
The agreement is subject to public comment until March 22nd, after which the FTC will decide whether to make the proposed consent order final.