FTC moves against mobile device makers over security

The Federal Trade Commission has put mobile device manufacturers on notice that they could be held responsible for securing products to protect consumers against cybercriminals.

The FTC's position is reflected in a recent settlement reached with smartphone and tablet maker HTC. The commission had charged the company with failing to protect customers' personal data and privacy in software it designed and customized for millions of mobile devices.

The original complaint laid out a number of security failings on the part HTC that left customers at risk. Because FTC complaints often outline the commission's view of industry best practices, the case against HTC is seen as a warning to other mobile device makers.

"Every other company should be looking at this document for what they should be doing," Christopher Soghoian, principal technologist for the American Civil Liberties Union, said on Monday.

In particular, the complaint could be seen as a warning to manufacturers who fail to update the Android operating system in a timely manner, a problem that has worried security experts for years.

The agreement, announced on Friday between HTC and the FTC, stemmed from a commission complaint over two logging applications. The commission found that the manufacturer's implementation of HTC Loggers and Carrier IQ contained flaws that would allow third-party applications to bypass an Android security mechanism that requires user permission before installation.

Loggers, a troubleshooting tool, and Carrier IQ, diagnostics software, are in a total of 22.5 million Android devices from HTC. Carrier IQ is also in 330,000 Windows phones.

[Also see: SMS becoming meaty attraction for spammers]

"Working with our carrier partners, we have addressed the identified security vulnerabilities on the majority of devices in the U.S. released after December 2010," HTC said in an emailed statement. "We're working to rollout the remaining software updates now and recommend customers download them once available."

An FTC spokesman said the agreement went beyond just the two customized apps, requiring HTC to fix all reported vulnerabilities.

"Among other things, the order's comprehensive security program requirement obligates HTC to have a process for addressing security vulnerability reports," FTC spokesman Jay Mayfield said in an email. "As our chief technologist notes in a recent blog post, it is important that companies provide security updates in a timely manner."

In the blog post, FTC chief technologist Steve Bellovin said manufacturers should provide security updates and customers should install them.

"Patching isn't easy, but even in a world of zero-days, it's still important," Bellovin said, referring to attacks in which hackers target flaws that have not been patched by the software developer. "Vendors and consumers need to take it very seriously and understand how it will happen."

The "comprehensive security program" outlined in the HTC settlement would make security part of the device development process. In addition, HTC would be responsible for securing data on the device, whether it's collected by HTC or created and stored by the user.

The complaint charged HTC with a number of poor security practices, such as an inadequate program for assessing the security of products before they are shipped to consumers. In addition, the company was charged with failing to provide engineering staff with adequate training in security and privacy.

Other failings included not testing devices for security flaws and having no process in place for receiving and addressing vulnerabilities found by third-party researchers and academics.

The FTC does not discuss ongoing investigations, so whether it is investigating other mobile device manufacturers is not known. Nevertheless, Android smartphone and tablet makers have been criticized for years for shipping millions of devices with older versions of Android and then failing to distribute updates and security patches quickly.

Meanwhile, the number of Android malware is rising substantially faster than any other Internet-delivered malicious app, according to Cisco's recent 2 013 Annual Security Report. At the same time, cybercriminals are building better tools for exploiting vulnerabilities.

In October, the FBI warned that FinFisher, commercial spyware sold to law enforcement and governments, had been modified to steal personal data from Android phones.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. Federal Trade CommissionapplicationsftcCarrier IQAndroidsoftwareData Protection | Wirelessdata protectionconsumer electronicshtcsecuritymobile securitysmartphones

More about CarrierCiscoFBIFederal Trade CommissionFTCHTC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place