由於htc擅自移除了Android及Windows Mobile裡的個資保護機制,以致於手機
使用者的電話號碼、簡訊內容、瀏覽紀錄、所在位置、信用卡及銀行交易等等
極度敏感的資料,都處於能輕易被駭客取得的狀態;更不可思議的,是連自己
與他人的通話內容,都因為htc故意將安全機制移除之緣故,而可以被竊錄!
FTC消費者保護局的資深律師Lesley Fair表示「這家公司在設計產品時,根本
不把資安放在眼裡;它不測試自己手機軟體上潛在的安全弱點、不遵循在撰寫
程式時為業界通用的安全規範、而當對其漏洞提出警告時還根本不予理會…」
(“The company didn’t design its products with security in mind,”
Lesley Fair, a senior lawyer in the commission’s Bureau of Consumer
Protection, wrote in a blog post. “HTC didn’t test the software on
its mobile devices for potential security vulnerabilities, didn’t
follow commonly accepted secure coding practices and didn’t even
respond when warned about the flaws in its devices.”)
[New York Times, By EDWARD WYATT, February 22, 2013]
【另可參考FTC官方文件 /PCMagazine 之報導】
WASHINGTON — More than 18 million smartphones and other mobile devices
made by HTC, a Taiwanese company that is one of the largest sellers of
smartphones in the United States, had security flaws that could allow
location tracking of users against their will and the theft of personal
information stored on their phones, federal officials said Friday.
The flaws affected HTC’s Windows-based phones. The Federal Trade
Commission charged HTC with customizing the software on its Android-
and Windows-based phones in ways that let third-party applications
install software that could steal personal information, surreptitiously
send text messages or enable the device’s microphone to record
the user’s phone calls.
The action is the first attempt by the commission to police a
manufacturer of mobile devices. As smartphones and tablets become a
common way for consumers to shop, bank and chat online, personal
information and privacy will need to be guarded.
HTC America, based in Bellevue, Wash., agreed to settle the civil
suit with the commission by issuing software patches that close the
security holes, and by creating a security program that will be
monitored by an independent party for the next 20 years. The F.T.C.
does not have the authority to assess fines in consumer protection cases.
“The company didn’t design its products with security in mind,”
Lesley Fair, a senior lawyer in the commission’s Bureau of Consumer
Protection, wrote in a blog post. “HTC didn’t test the software on
its mobile devices for potential security vulnerabilities, didn’t
follow commonly accepted secure coding practices and didn’t even
respond when warned about the flaws in its devices.”
An HTC official said Friday that the company had already started to
update its software and distribute it to users of some, but not all,
of the affected phones.
“Working with our carrier partners, we have addressed the identified
security vulnerabilities on the majority of devices in the U.S.
released after December 2010,” Sally Julien, an HTC spokeswoman, said
in a statement. “We’re working to roll out the remaining software
updates now and recommend customers download them once available.”
“Privacy and security are important,” the statement added, “and we
are committed to improving practices that help safeguard our customers’
devices and data.”
The trade commission charged that the security flaws resulted from
HTC’s modifying the operating system software used on most of the
affected phones. In the case of Android, created by Google, the system
is designed to protect sensitive information and phone functions through
what is known as a permission-based security model.
That requires a user, when installing an application that is not a
standard part of the operating system, to be notified and to agree
that the application could gain access to certain information or
functions.
HTC, however, preinstalled certain apps on its phones in a way that,
in addition to preventing consumers from removing them, disabled the
permission-based model and allowed newly installed apps to have
immediate access to personal data.
“The analogy isn’t exact,” wrote Ms. Fair of the F.T.C., “but it’
s like giving a friend the combination to a safe only to find out he’
s handing it over to anyone who asks.”
That security hole could, for example, let the rogue software secretly
record users’ phone conversations or track their location.
Flaws in the security system could also give third-party apps access to
phone numbers, contents of text messages, browsing history and information
like credit card numbers and banking transactions. Those flaws also
affected HTC phones that used Windows-based operating systems.
While HTC’s actions introduced numerous security vulnerabilities to
its phones, a commission official said it was not clear how many
users experienced illegal incursions into their phones and personal
information.
The flaw in the company’s phones has been known since at least 2011.
HTC acknowledged the problems at that time and developed software
patches for at least some of the deficiencies that year.
But the problems were far from minor. The F.T.C. said that text-message
toll fraud, in which a hacker causes a phone to send text messages to
a number that charges the user for delivery of the message, “is one
of the most common types of Android malware,” or malicious software.
HTC’s user manuals either said or implied that a user was protected
against malware because of the permission-based security, the commission
said.
The commission will collect public comments on the proposed remedies for
30 days, after which it will decide whether to formally carry out the
order. If HTC subsequently violates the order’s restrictions and
requirements, it faces civil penalties of up to $16,000 a violation.
-----------------------------------
