FTC moves against mobile device makers over security
While targeting HTC, move seen as warning to all makers who fail to update Android devices in a timely manner
By Antone Gonsalves
February 26, 2013 — CSO — The Federal Trade Commission has put mobile device manufacturers on notice that they could be held responsible for securing products to protect consumers against cybercriminals.
The FTC's position is reflected in a recent settlement reached with smartphone and tablet maker HTC. The commission had charged the company with failing to protect customers' personal data and privacy in software it designed and customized for millions of mobile devices.
The original complaint laid out a number of security failings on the part HTC that left customers at risk. Because FTC complaints often outline the commission's view of industry best practices, the case against HTC is seen as a warning to other mobile device makers.
"Every other company should be looking at this document for what they should be doing," Christopher Soghoian, principal technologist for the American Civil Liberties Union, said on Monday.
In particular, the complaint could be seen as a warning to manufacturers who fail to update the Android operating system in a timely manner, a problem that has worried security experts for years.
The agreement, announced on Friday between HTC and the FTC, stemmed from a commission complaint over two logging applications. The commission found that the manufacturer's implementation of HTC Loggers and Carrier IQ contained flaws that would allow third-party applications to bypass an Android security mechanism that requires user permission before installation.
Loggers, a troubleshooting tool, and Carrier IQ, diagnostics software, are in a total of 22.5 million Android devices from HTC. Carrier IQ is also in 330,000 Windows phones.
[Also see: SMS becoming meaty attraction for spammers]
"Working with our carrier partners, we have addressed the identified security vulnerabilities on the majority of devices in the U.S. released after December 2010," HTC said in an emailed statement. "We're working to rollout the remaining software updates now and recommend customers download them once available."
An FTC spokesman said the agreement went beyond just the two customized apps, requiring HTC to fix all reported vulnerabilities.
"Among other things, the order's comprehensive security program requirement obligates HTC to have a process for addressing security vulnerability reports," FTC spokesman Jay Mayfield said in an email. "As our chief technologist notes in a recent blog post, it is important that companies provide security updates in a timely manner."
In the blog post, FTC chief technologist Steve Bellovin said manufacturers should provide security updates and customers should install them.
"Patching isn't easy, but even in a world of zero-days, it's still important," Bellovin said, referring to attacks in which hackers target flaws that have not been patched by the software developer. "Vendors and consumers need to take it very seriously and understand how it will happen."
The "comprehensive security program" outlined in the HTC settlement would make security part of the device development process. In addition, HTC would be responsible for securing data on the device, whether it's collected by HTC or created and stored by the user.
The complaint charged HTC with a number of poor security practices, such as an inadequate program for assessing the security of products before they are shipped to consumers. In addition, the company was charged with failing to provide engineering staff with adequate training in security and privacy.
Other failings included not testing devices for security flaws and having no process in place for receiving and addressing vulnerabilities found by third-party researchers and academics.
The FTC does not discuss ongoing investigations, so whether it is investigating other mobile device manufacturers is not known. Nevertheless, Android smartphone and tablet makers have been criticized for years for shipping millions of devices with older versions of Android and then failing to distribute updates and security patches quickly.
Meanwhile, the number of Android malware is rising substantially faster than any other Internet-delivered malicious app, according to Cisco's recent 2013 Annual Security Report. At the same time, cybercriminals are building better tools for exploiting vulnerabilities.
In October, the FBI warned that FinFisher, commercial spyware sold to law enforcement and governments, had been modified to steal personal data from Android phones.
Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.