HTC America and the US Federal Trade Commission have settled over charges brought by the FTC that HTC failed to secure millions of its smartphones and tablets. As part of the settlement, HTC America will now have to develop and release software patches for “millions of HTC devices” to fix the vulnerabilities. It will also have to establish a security program which will preemptively address security risks during the development of future HTC devices and it will be subject to independent security assessments once every two years for the next 20 years.
In late 2011, Trevor Ekhart, a security researcher and Android Developer, had decided to examine the CarrierIQ software installed on HTC handsets. He found that the CarrierIQ software on the devices was insecurely logging information including keystrokes, text message and location information. CarrierIQ responded with a cease and desist order to Ekhart. The researcher resisted and disclosed further details. CarrierIQ pointed at manufacturers as the source of the problem, noting the logs were being generated by manufacturer code. Although the company had further issues with storing information, the focus of attention moved onto the phone makers. Late in 2012, the FTC recommended that a case be brought against HTC and that it failed to protect consumer security; this case is now being settled by HTC with the consent order. The consent decree is open for comments until 22 March after which it is likely to become final – HTC will then have to ship updated software to HTC phone owners.
The settlement also notes that while HTC was developing its own code to use the Carrier IQ collected data, it activated a debug mode in the CarrierIQ code to help it test the software. It then failed to deactivate the debug mode in code for shipped devices. This was how sensitive information was appearing in the Android system log. HTC’s software was also intercepting that data and using insecure methods to store it and transmit it to HTC for analysis. HTC added a “CIQ interface” to CarrierIQ’s software which used an insecure network port; this meant that any application on the device with network permissions could access the CarrierIQ information and, apparently, perform actions such as sending text messages.
The FTC’s actions open the way for the commission to police mobile device security and privacy. In comments to the Kaspersky threatpost, Chris Soghoian, senior policy analyst with the American Civil Liberties Union (ACLU), said the settlement was “a shot across the bow of the handset and wireless industry and their practice of selling and abandoning devices after a few months”, and that this lack of security and appropriate security practices was perceived by the FTC as an “unfair act”. It may well be possible that HTC is only the first to come under such scrutiny; FTC investigations are confidential until the case is resolved.