HTC settles with FTC over leaving Carrier IQ and other logging tools open to hackers

15

HTC has agreed to a settlement with the Federal Trade Commission over security problems that left its phones open to hijacking or stolen personal data. Like many other devices, HTC phones and tablets come with software that tracks device logs or user location — in its case, both an Android tool called HTC Logger and the controversial Carrier IQ. But the FTC says that the company failed to implement strong security. "Because HTC used an insecure communications mechanism, any third-party application on the user’s device that could connect to the internet could exploit this vulnerability" to take device logs from either HTC Logger or a custom overlay for Carrier IQ.

On Android, the FTC says hackers could both find personal information about the user's phone and perform actions like sending text messages. A similar problem with custom app installation software meant it was possible to "command this pre-installed application to download and install any additional applications from any server onto the device without the user’s knowledge or consent." Major HTC Logger security issues were uncovered in late 2011 by Android Police, which found that apps could surreptitiously request everything from email addresses to GPS location with simple commands. This settlement addresses many of these claims, as well as similar issues with Carrier IQ.

"Any third-party application that could connect to the internet could exploit this vulnerability."

HTC previously said that no customers had been affected by the logging problem, and it promised (and issued) a 2011 patch that would fix the issue. Now, the FTC is requiring the company to patch any remaining vulnerabilities and to develop a security program that will prevent future ones, as well as undergo assessments every other year for the next 20 years and refrain from publishing any misleading information about its security. HTC won't pay fines or see other major punitive measures, but the settlement gives the FTC harsher enforcement options if future breaches occur.

More from The Verge

Back to top ^
X
Log In Sign Up

forgot?
Log In Sign Up

Please choose a new Verge username and password

As part of the new Verge launch, prior users will need to choose a permanent username, along with a new password.

Your username will be used to login to Verge going forward.

I already have a Vox Media account!

Verify Vox Media account

Please login to your Vox Media account. This account will be linked to your previously existing Eater account.

Please choose a new Verge username and password

As part of the new Verge launch, prior MT authors will need to choose a new username and password.

Your username will be used to login to Verge going forward.

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

By becoming a registered user, you are also agreeing to our Terms and confirming that you have read our Privacy Policy.
Spinner.vc97ec6e

Authenticating

Great!

Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.

tracking_pixel_5345_tracker