cancel
Showing results for 
Search instead for 
Did you mean: 

Sprint either ignorant or knowingly denying large security vulnerability with several of its phones.

Highlighted
Journeyman

Sprint either ignorant or knowingly denying large security vulnerability with several of its phones.

The following is an email I just sent to [...]

Hello Dan.  And by hello Dan I mean hello to the customer support team at "The Office of Dan @ Sprint.com"

I appreciate the previous email to your office being handled diligently and professionally.  Unfortunately, no one at customer or technical support was diligent or professional yesterday when I called about a massive security problem your HTC phones are currently plagued with, including my HTC EVO 4G.

I'm not sure if Sprint Tech Support (or Customer Service... or anyone at Sprint) keeps up on major news involving phones that Sprint sells its customers, but 7 people that I spoke with yesterday had no idea of this recently uncovered major security flaw with several HTC phones.  I spoke with 3 customer services representatives, 1 customer service supervisor, 1 technical support (low tier), 1 technical support (advanced) and 1 manager of some sort in the cancellation department named Brandon.

A quick search on Google reveals hundreds of articles from news sources on the subject.  This is news that broke last week and has been covered by BBC, The Wall Street Journal, CNN, FoxNews, CBS, ABC, MSNBC, The New York Times, PC Magazine, TechCrunch, Engadget, Gizmodo, and hundreds of other sources.  I suppose it is likely that whoever is reading this may not be able to communicate with the outside world when in their cubicles at Sprint (all of the people I spoke with at Sprint yesterday told me they could not access the internet and could not even get to Google) so I will include the pertinent information.

Immediately below you find a portion of the initial October 2nd article from Android Police titled Massive Security Vulnerability in HTC Android Devices (EVO 3D, 4g, Thunderbolt, Others) Exposes Phone Numbers, GPS, SMS, Emails, Addresses, Much More:

_______________________________________________________

In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.

That is not the case. What Trevor found is only the tip of the iceberg - we are all still digging deeper - but currently any app on affected devices that requests a singleandroid.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:

  • the list of user accounts, including email addresses and sync status for each
  • last known network and GPS locations and a limited previous history of locations
  • phone numbers from the phone log
  • SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
  • system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

_______________________________________________________

This information was confirmed by HTC themselves on Wednesday, October 5th as HTC released this statement:

"HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.


HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices. Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources."


_______________________________________________________

Again, this fiasco was covered all of last week on every major news site and technology blog in the world.  Yesterday during my call to Sprint not a single person had any idea of this, and were arrogant enough to flat out tell me I was wrong and that I had nothing to be concerned about.  I was told by several of your employees that "We would know if there was a massive security vulnerability like this".  And that I was concerned over nothing because "anyone online can be hacked anyway".  I didn't have a reason to have called since "I could not prove my data was stolen or misused."  I was also repeatedly told that I should be contacting HTC about this problem, since it was supposedly a defect with their phones.  This simply does not work because:

1) The phone itself is not defective.  There is a security vulnerability in the software that both HTC and Sprint worked on jointly, and pushed to my phone over Sprint's network.

2) HTC does not manufacture an Android phone compatible with Sprint which is not affected by this issue.  They all are: HTC EVO 4G, HTC EVO 3D, HTC EVO Shift 4G

Regardless, I had already called HTC who confirmed this massive problem with me and instructed me to call Sprint to see about getting another brand of Android phone for the time being, which is how Verizon is handling this.

I was repeatedly transferred and had to explain the situation to every person I spoke with, and this of course was incredibly irritating, especially considering that no one I spoke with was technically savvy enough to understand what I was explaining to them.  Rather than trying to verify the information I was giving them, I was demeaned and insulted.  Perhaps they did know of this issue and were simply denying it?

Eventually I just wanted to cancel my Sprint service and go to Verizon, who by the way are acknowledging this issue and assisting its customers to resolve the problem immediately (see further below).  I was told that I could not be released from my contract and would be subject to your recently increased early termination fees.  This would be the part where if I had time and money to burn I would have gone straight to a Verizon store, signed up on the spot for their service, and then disputed the Sprint early termination fee in court if necessary.  After reading through the 400 pages of verbiage on your site relating to the early termination fee and cancellation of Sprint service, I'm fairly certain that your equipment having these massive security flaws, and your unwillingness to acknowledge the problem (let alone fix it) does indicate a breach of contract and I would be well within my right to lawfully leave your service without payment of a cancellation fee.

In closing, the issue needs to be resolved immediately and here are the points that need to be specifically addressed:

1) Sprint needs to publicly acknowledge this issue immediately.

2) Sprint needs to inform it's affected customers of this issue immediately.

3) Sprint needs to immediately advise its customers of the date of the upcoming fix.

4) If the date of the upcoming fix is uncertain or not within a nearly immediate time frame, Sprint needs to provide its customers with comparable phones which are not affected by this problem.

Consequently, my closest friend who had an HTC Thunderbolt on Verizon, called in to Verizon support and had as pleasant experience as could be had given the circumstances.  This occurred last Thursday, October 6th.  The first technical support employee he spoke with did not know of the issue, but brought an advanced technical support representative into the call who took a couple minutes to both read the news, and confirm the problem existed, then he read what he called a "memo from HTC" about it.  He then said "OK let's fix this.  Here are the Android phones we have which are not affected by this.  Which one do you want?"  My friend received a refurbished HTC Incredible II the next day.

As it stands right now I am utterly disgusted with the ignorance and arrogance of Sprint customer service regarding this issue.  If this issue is not addressed immediately, I fully plan on switching to Verizon and taking the 3 numbers on my account with me as soon as I can either afford your bogus early termination fees or my contracts have fully lapsed.

Message was edited by: mapesy

36 REPLIES 36
Wizard

Sprint either ignorant or knowingly denying large security vulnerability with several of its phones.

This is what is being said and done by HTC:

HTC states that it wants all customers to be "aware of this potential  vulnerability," though it doesn’t know of any customers who have been  affected by it as of yet. A patch will be released soon following a  "short testing period" by carrier partners, though HTC gives no specific  time frame or details on the fix. When ready, the patch will be pushed  over-the-air to customers. In the meantime, if you are concerned about  your phone’s well being, rooting it and deleting HTCLoggers can solve  the problem.

  That's about all that's on the burner right now, Stay tuned.........................................

Journeyman

Sprint either ignorant or knowingly denying large security vulnerability with several of its phones.

I find it curious that The Office of Dan at Sprint has not gotten back to me on this issue.  I had another instance where I sent dan@sprint an email and they called me within an hour.  That time frame seems to be the norm based on other people's mails to them.

So what's going on Sprint?  Check which box applies concerning the large security vulnerability with the HTC Evo 4G, HTC Evo 3D, and HTC Evo Shift 4G:

[] We do not acknowledge any security issues with any of our devices

[] We do not communicate with HTC so we do not know of any timeframe for a fix

[] We do not care about this issue

Wizard

Sprint either ignorant or knowingly denying large security vulnerability with several of its phones.

Journeyman

Sprint either ignorant or knowingly denying large security vulnerability with several of its phones.

I had already read the response from HTC before SA_darklighter434 posted.  It is quoted in my OP.  While nice to know they are working on fixing this issue, there has been no mention of any time frame by either HTC or Sprint, and I do not agree with that.  I'm not looking for Sprint to rush a fix to a problem like this, because they will invite more problems.  Hopefully HTC is already in super rush mode as it is.  Here are my concerns, and correct me if you do not find them to be valid:

1) If the fix is due out in a couple of days, I would consider that and decide to just cross my fingers so to speak, and wait for it.  All is moot.

2) If the fix has no ETA, Sprint has significantly more clout to get one than I do.  I've already called HTC myself.  And I think knowing when a fix is coming for this magnitude of a security gap is necessary.

3) If the fix has no ETA, I would think strongly about one of the following options:

-a) Spending the money myself to get an Android phone that was unaffected.  This irritates me because I will be spending $$ (potentially a lot of money considering the months left before my contract has lapsed) to fix a problem I did not create or know about (didn't exist) when I purchased my Evo.

-b) Rooting my phone.  This irritates me because support goes out the window at that point.  With my luck I would brick it.  There is a bonus though: No more shit NASCAR, Blockbuster, or other disgusting Sprint sponsored bloat. 

4) The cat is out of the bag on this issue.  It was big news all over the world.  Now that any dolts know how and what to target, the danger has increased exponentially.  Am I simply to uninstall any apps on my phone that aren't created by design firms that are "trusted"?  I mean, I've got an Eve-Online related app called Aura that I love, but it was created by a single person who I do not know.  It has access to the internet alone in its permissions.  As the Android Police stated correctly, it's like leaving a key under the mat and expecting no one who finds it to open the door.  There are hundreds of great apps out there that are not created by people you would trust with the oodles of personal information now readily available.

Also, I did not purchase my phone from HTC.  I purchased it from Sprint.  Aside from sending out the fix instantly, HTC couldn't fix this problem for me right this second if they wanted to.  They cannot give out other Android phones for Sprint customers because every single one of their Sprint Android phones are affected.

Wizard

Sprint either ignorant or knowingly denying large security vulnerability with several of its phones.

I understand your concerns and share them too.  However, I think you should contact HTC and ask them about getting on the ball and fixing things.  And you are incorrect when you say, "HTC couldn't fix this problem for me right this second if they wanted  to.  They cannot give out other Android phones for Sprint customers  because every single one of their Sprint Android phones are affected.".  I only say this because HTC is the only company that can fix the issue and is the only company that can replace your HTC branded phone due to a manufacturing issue.  Sprint is not going to exchange your phone because of this issue without first asking HTC, since they would be covering the costs.

Let me state it differently.  If you go to Walmart and buy a sony tv set and a month later there is a security issue with the software.  Walmart is not going to help you.  They will refer you to Sony.  Well, the same is true here.  Sprint is merely a middleman, a storefront.  They do not make the phone, they merely sell it.  Another example is if you buy a Bethesda Xbox game and halfway through it, it is giving you problems.  Well, the folks at microsoft will give you the number to Bethesda and tell you to speak with them.  While the game may be for use on their system, they cannot help you with the product someone else created...even, if you purchased it on their website.

Once again, I understand your concerns; however, I also believe you would get more traction at HTC as opposed to Sprint.

Journeyman

Sprint either ignorant or knowingly denying large security vulnerability with several of its phones.

Called HTC again.  First support could only read the press release from last Wednesday.  Could not tell me of any fix timeframe and obviously couldn't offer me another Android device for Sprint.  Transfered me to corporate (425-679-5318) which has been busy for the past hour every time I have called.  For some reason I have a feeling that Sprint calls a different number to speak with HTC about urgent issues such as this.

By the way, when I say I called HTC again, I mean (from OP): "Regardless, I had already called HTC who confirmed this massive problem with me and instructed me to call Sprint to see about getting another brand of Android phone for the time being, which is how Verizon is handling this."

And I disagree with your analogy.  Although not Wal-Mart, about 4 years ago I bought a Samsung Blu-Ray player from Best Buy.  Several weeks after buying it, a firmware update effectively bricked it.  I didn't even call Samsung, I just took it back to Best Buy and exchanged it for a comparable Blu Ray player and paid about $15 for the difference.  Best Buy didn't have anything to do with the firmware. 

Sprint on the other hand does have something to do with this.  In case you didn't notice, they have a good hand in modifying the software that goes on any of their Android phones.  That's why stuff I don't use like Kindle, Amazon MP3, NASCAR, Blockbuster, Sprint Football Live, Sprint TV, and Sprint Zone are all on my phone.  That's why any device with the ability to tether uses a feature called "Sprint Hotspot", if unrooted.  That's why we don't get Android updates the second HTC is done SenseUI'ing them.  They go to Sprint, so Sprint can stick their crap on top, make it so you can't uninstall it, then push it out.

Also, please don't tell me that there is not wordage in Sprint/HTC's billion dollar contract that allows for Sprint to be reimbursed or credited in any way if the devices they are sold by HTC turn out to contain a serious flaw.  That's pretty standard stuff in manufacturer/vendor contracts.  And this is not your average manufacturer/vendor relationship.  HTC engineered phones specifically for Sprint, includuing hardware specifically catered for Sprint, and their network, and their requirements.

Sprint can fix this issue.  They can do the same thing Verizon is doing.  Or perhaps Verizon has the contract described above and Sprint had 1st year business students write theirs, leaving out issues of reimbursement for defective hardware and software. Quoting again:

4) If the date of the upcoming fix is uncertain or not within a nearly immediate time frame, Sprint needs to provide its customers with comparable phones which are not affected by this problem.

update: Before hitting add reply, I tried calling the number again for HTC Corporate.  A generic recording with many different numbers suggested for different issues.  One interesting portion of the recording stated "For technical support issues for devices sold through our US carriers please call those carriers directly."  I left a message on the number, and I also called the number listed for Jennifer Stern in PR.  I reached a voicemail for someone named Heather and left a message for her as well.  I doubt I will be hearing anything back from them.  They didn't get any money from me when I purchased the Evo.  They got money from Sprint months earlier when Sprint bought hundreds of thousands of them.  This bs of "call HTC" from Sprint and then "call Sprint" is stupid and everyone should know that.  I expect the company I pay good money to (and who also approved the update containing the security vulnerability) to fix this issue.

As a sidenote, when my Pontiac G8 GT was having a problem with its tire pressure sensors, I did not call the manufacturer in Austalia (Holden).  I did not call the company that manufactured the tire pressure sensors.  I took it back to the dealer who sold it to me, where people whose paychecks do not come from General Motors, or Holden, fixed the issue.

Wizard

Sprint either ignorant or knowingly denying large security vulnerability with several of its phones.

I am sorry you feel like you are getting the run around, but there is a difference between a company that sells a product versus the company that makes the product.  I am not certain of the circumstances at BestBuy, but if you are outside of their return period and didn't purchase their protection, they would send you to Samsung.  Otherwise, they would just allow you to make an exchange.  Most retailers do take care of you within a return period because they have side agreements with the manufacturer for such issues (preauthorizations).  The same goes for Sprint, if your problems occur during the first 14 days.  After that, unless you get their insurance, they send you to HTC.  And while youar Pontiac has air pressure sensors from another country, that is a different situation.  GM is an end producer for a new car, which means they are legally responsible for all issues on the car as a whole (except add-ons).  If it was serviced with the part, then that too is GM, because they used their expertise to determine the part for your specific needs and installed it. 

While true HTC made the phone for Sprint's network, Sprint has little control on the software of the phone once it comes out.  Sprint will give you the same info it got from HTC about the issue....  that the manufacturer is working on it...until they have a resolution, do not accept apps from sources you do not feel are safe.

Journeyman

Sprint either ignorant or knowingly denying large security vulnerability with several of its phones.

I've spent about 2 hours on the phone with them regaring this issue.  Everyone i spoke to had no clue what I was talking about.  They even transferred me to HTC tech and they had no idea either.  I got transferred to a "tech manager" Carlos. I explained my story for the 5th or 6th time (because none of the customer service agents at sprint make ANY notes).  AFter explaining the story, silence....I said "hello" and got a hello back in response with a nasty attitude.  I asked him if he is familiar with the issue, and if not to google it.  He claimed he did google it and proceeds to tell me there is nothing wrong with the phone.  Asks me if I can make calls and get on the internet.  After I say yes, he claims there is nothing wrong with the phone when he just rad 2 mins ago that there is somehting very wrong. What a joke!  This guy was the most ingorant and rude person I have ever talked to at Sprint.  And he calls himself a manager??? You gotta be kidding me.  No customer service skills at all. 

Sprint CS used to be good, not anymore.  Seems like they are betting a bit too much on the iphone bringing business, as I was told by account services: "We will take over all of Verizon's and ATT's iphone customers because of unlimited data"  LOL

Journeyman

Sprint either ignorant or knowingly denying large security vulnerability with several of its phones.

Dave, as you can see from the Bronz Expert Sprint Community forum poster, this is not a Sprint issue. No wonder Sprint treated us like titmouse dung when we wanted feedback on a problem concerning a device they sold us, which runs on their network, and receives their approved and modified updates which contained the problem.  We should have known that even though HTC directs you to call your US carrier for technical support issues with your phone, that they are incorrect, and we should actually be calling HTC.

Wizard

Sprint either ignorant or knowingly denying large security vulnerability with several of its phones.

I wish I could tell you something different.  However, as a person that has worked retail before, I can tell you this is par for the course.  Sprint is in the same boat as you...asking HTC to hurry and fix a security hole.  Calling Sprint isn't going to move things faster. 

And, this is no different than buying a Dell computer with windows or linux.  If the problem is with your OS, Dell will kindly give you the number to microsoft, or fedora, or ubuntu, etc.  They ask those companies (especially Microsoft b/c they paid them) to hurry up...but, really, there isn't much more they are going to do.

frst wrote:

Dave, as you can see from the Bronz Expert Sprint Community forum poster, this is not a Sprint issue. No wonder Sprint treated us like titmouse dung when we wanted feedback on a problem concerning a device they sold us, which runs on their network, and receives their approved and modified updates which contained the problem.  We should have known that even though HTC directs you to call your US carrier for technical support issues with your phone, that they are incorrect, and we should actually be calling HTC.

Journeyman

Sprint either ignorant or knowingly denying large security vulnerability with several of its phones.

My wife has a Dell laptop.  At one point the HD, touchpad and screen failed.  I called Dell for repair.  They didn't send me around to their component manufacturers to get them replaced.  A Dell tech came out and fixed the laptop.

I don't see why Sprint is being so stubborn.  I bought the phone from Sprint, I pay Sprint upwards of $140/mth and they will not do anything, they won't even ackgnowledge there is an issue with the phone.  Verizon is swapping out phones to a non-htc phone because of this.  Sprint won't do anything.

Community News

Need Help? 
Please try Searching the Community, we have many questions already answered, you can also check out the Knowledge base.
If you have an account question you can create a post and one of our Social Care Agents will help you.
If you need immediate assistance please visit Sprint Chat