Serious security flaws affect millions of HTC mobile devices

Pierluigi Paganini February 25, 2013

The news of those who make a lot of noise, more than 18 million devices commercialized by Taiwanese company HTC had security flaws that could exposes users to serious risks in particular the bugs could allow the theft of information stored on the mobile and the tracking of user’s location.

The vulnerabilities appear serious according The Federal Trade Commission that published an advisory titled “HTC America Settles FTC Charges It Failed to Secure Millions of Mobile Devices Shipped to Consumers” that charged HTC to have released on the market products that expose user’s privacy to concrete risks. Mobile security is a critical issue, an increasing number of services from banking to entertainment is provided through mobile platforms, due this reason The Federal Trade Commission monitored the activities of the popular manufacturer.

“Mobile device manufacturer HTC America has agreed to settle Federal Trade Commission charges that the company failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk.

The settlement requires HTC America to develop and release software patches to fix vulnerabilities found in millions of HTC devices. In addition, the settlement requires HTC America to establish a comprehensive security program designed to address security risks during the development of HTC devices and to undergo independent security assessments every other year for the next 20 years.” declared The Federal Trade Commission.

Both Android and Windows phones that let installation of malicious software that could steal personal information and that allow attackers to get complete control of victim’s device (e.g. send text messages, enable microphone to record the user’s phone calls). The flaws are related to customization of OSs proposed by HTC, the company preinstalled certain apps in a way that, in addition to preventing consumers from removing them, disabled the permission-based model and allowed newly installed apps to have immediate access to personal data.

“To illustrate the consequences of these alleged failures, the FTC’s complaint details several vulnerabilities found on HTC’s devices, including the insecure implementation of two logging applications – Carrier IQ and HTC Loggers – as well as programming flaws that would allow third-party applications to bypass Android’s permission-based security model. Due to these vulnerabilities, the FTC charged, millions of HTC devices compromised sensitive device functionality, potentially permitting malicious applications to send text messages, record audio, and even install additional malware onto a consumer’s device, all without the user’s knowledge or consent. ”

When I read about Carrier IQ I remembered the clamorous case occurred in December 2011, the company produced an application capable of monitoring the use of the communication device without the user can notice it.

Trevor Eckhart posted a video on YouTube to demonstrate how software from Carrier IQ recorded in real time, every action made on the handset which he had reset to factory settings prior to the test. With a packet sniffer he demonstrated that despite his device was in airplane mode each numeric tap and every text message receive were logged by the software.

Having found the application, Carrier IQ motivated the discovery citing unconvincing reasons, it declared that the distributed application is being used exclusively for remote maintenance. Officially there was no real spy intent nor the company maintains and analyzes the information gathered.

The company provided a prompt response issuing a series of patches to fix the vulnerabilities and “creating a security program that will be monitored by an independent party for the next 20 years” according the revelation of The New York Times.

An HTC official spokesman announced that the company had taken all the necessary steps for troubleshooting starting to update software of some the affected mobiles.

“Working with our carrier partners, we have addressed the identified security vulnerabilities on the majority of devices in the U.S. released after December 2010,” Sally Julien, an HTC “We’re working to roll out the remaining software updates now and recommend customers download them once available.” “Privacy and security are important,” the statement added, “and we are committed to improving practices that help safeguard our customers’ devices and data.”

The accusations against the Taiwanese manufacturer are mainly related to the lack of implementation of security requirements, Lesley Fair, a senior lawyer in the commission’s Bureau of Consumer Protection declared:

 “HTC didn’t test the software on its mobile devices for potential security vulnerabilities, didn’t follow commonly accepted secure coding practices and didn’t even respond when warned about the flaws in its devices.”

Another disturbing question is that the bugs were known since 2011, and HTC developed software patches to fix them.

The article posted on NYT also added that:

“HTC’s user manuals either said or implied that a user was protected against malware because of the permission-based security”

In the next 30 days the commission will collect public comments on the proposed remedies after which it will decide whether to formally proceed with the the order.

Let’s see what happen …

Pierluigi Paganini

you might also like

leave a comment