HTC settles FTC charges over device security

Summary:HTC America has agreed to send out a fix for potential security vulnerabilities in its handsets as part of an agreement with the FTC.

HTC America has agreed to settle Federal Trade Commission (FTC) charges that the company failed to take "reasonable steps" to secure software it developed for its smartphones and tablets, introducing security flaws that placed sensitive information about millions of consumers at risk.

HTC America has promised to patch handsets that were left vulnerable to security risks as part of its settlement (PDF) with the FTC.

It also agreed to develop an ongoing security program designed to address security risks during the development of its handsets, and to undergo independent security assesments every two years for the next two decades.

"The Commission charged that HTC America failed to employ reasonable and appropriate security practices in the design and customisation of the software on its mobile devices," the FTC said in a statement.

The FTC said the patches are already being rollout by HTC and operators in the US.

The FTC complaint alleged that HTC America had "failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities, failed to follow well-known and commonly accepted secure coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties."

The FTC also detailed specific handset issues including "the insecure implementation of two logging applications - Carrier IQ and HTC Loggers - as well as programming flaws that would allow third-party applications to bypass Android’s permission-based security model," the watchdog added.

In reaching the settlement, HTC America neither confirmed nor denied any of the allegations put forward by the FTC.

"Privacy and security are important, and we are committed to improving practices that help safeguard our customers' devices and data. Working with our carrier partners, we have addressed the identified security vulnerabilities on the majority of devices in the US released after December 2010. We're working to rollout the remaining software updates now and recommend customers download them once available," HTC said in a statement.

HTC devices that shipped running Android 4.0/Sense 4 software (or later) already include the security fix.

Topics: Smartphones, Security

About

With a psychology degree under his belt, Ben set off on a four-year sojourn as a professional online poker player, but as the draw of the gambling life began to wane his attentions turned to more wholesome employment.With several years' experience covering everything in the world of telecoms and mobility, Ben's your man if it involves a s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.