Serious security flaws affect millions of HTC mobile devices

The news of those who make a lot of noise, more than 18 million devices commercialized by Taiwanese company HTC had security flaws that could exposes users to serious risks in particular the bugs could allow the theft of information stored on the mobile and the tracking of user’s location.

The vulnerabilities appear serious according The Federal Trade Commission that published an advisory titled “HTC America Settles FTC Charges It Failed to Secure Millions of Mobile Devices Shipped to Consumers” that charged HTC to have released on the market products that expose user’s privacy to concrete risks. Mobile security is a critical issue, an increasing number of services from banking to entertainment is provided through mobile platforms, due this reason The Federal Trade Commission monitored the activities of the popular manufacturer.

“Mobile device manufacturer HTC America has agreed to settle Federal Trade Commission charges that the company failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk.

The settlement requires HTC America to develop and release software patches to fix vulnerabilities found in millions of HTC devices. In addition, the settlement requires HTC America to establish a comprehensive security program designed to address security risks during the development of HTC devices and to undergo independent security assessments every other year for the next 20 years.” declared The Federal Trade Commission.

Both Android and Windows phones that let installation of malicious software that could steal personal information and that allow attackers to get complete control of victim’s device (e.g. send text messages, enable microphone to record the user’s phone calls). The flaws are related to customization of OSs proposed by HTC, the company preinstalled certain apps in a way that, in addition to preventing consumers from removing them, disabled the permission-based model and allowed newly installed apps to have immediate access to personal data.

“To illustrate the consequences of these alleged failures, the FTC’s complaint details several vulnerabilities found on HTC’s devices, including the insecure implementation of two logging applications – Carrier IQ and HTC Loggers – as well as programming flaws that would allow third-party applications to bypass Android’s permission-based security model. Due to these vulnerabilities, the FTC charged, millions of HTC devices compromised sensitive device functionality, potentially permitting malicious applications to send text messages, record audio, and even install additional malware onto a consumer’s device, all without the user’s knowledge or consent. ”

When I read about Carrier IQ I remembered the clamorous case occurred in December 2011, the company produced an application capable of monitoring the use of the communication device without the user can notice it.

Trevor Eckhart posted a video on YouTube to demonstrate how software from Carrier IQ recorded in real time, every action made on the handset which he had reset to factory settings prior to the test. With a packet sniffer he demonstrated that despite his device was in airplane mode each numeric tap and every text message receive were logged by the software.

Having found the application, Carrier IQ motivated the discovery citing unconvincing reasons, it declared that the distributed application is being used exclusively for remote maintenance. Officially there was no real spy intent nor the company maintains and analyzes the information gathered.

The company provided a prompt response issuing a series of patches to fix the vulnerabilities and “creating a security program that will be monitored by an independent party for the next 20 years” according the revelation of The New York Times.

An HTC official spokesman announced that the company had taken all the necessary steps for troubleshooting starting to update software of some the affected mobiles.

“Working with our carrier partners, we have addressed the identified security vulnerabilities on the majority of devices in the U.S. released after December 2010,” Sally Julien, an HTC “We’re working to roll out the remaining software updates now and recommend customers download them once available.” “Privacy and security are important,” the statement added, “and we are committed to improving practices that help safeguard our customers’ devices and data.”

The accusations against the Taiwanese manufacturer are mainly related to the lack of implementation of security requirements, Lesley Fair, a senior lawyer in the commission’s Bureau of Consumer Protection declared:

 “HTC didn’t test the software on its mobile devices for potential security vulnerabilities, didn’t follow commonly accepted secure coding practices and didn’t even respond when warned about the flaws in its devices.”

Another disturbing question is that the bugs were known since 2011, and HTC developed software patches to fix them.

The article posted on NYT also added that:

“HTC’s user manuals either said or implied that a user was protected against malware because of the permission-based security”

In the next 30 days the commission will collect public comments on the proposed remedies after which it will decide whether to formally proceed with the the order.

Let’s see what happen …

Pierluigi Paganini

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

11 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

15 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

21 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

23 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

2 days ago

This website uses cookies.