HTC America Inc. must develop and release software patches to fix vulnerabilities found in millions of smartphones and tablet computers under a settlement announced Friday with the U.S. Federal Trade Commission.
The vulnerabilities placed sensitive information about millions of consumers at risk and potentially permitted malicious applications to send text messages, record audio and install additional malware without a user’s knowledge or consent, according to an FTC news release.
“The settlement not only requires the establishment of a comprehensive security program, but also prohibits HTC America from making any false or misleading statements about the security and privacy of consumers’ data on HTC devices,” the FTC reported. “HTC America and its network operator partners are also in the process of deploying the security patches required by the settlement to consumers’ devices. Many consumers have already received the required security updates. The FTC encourages consumers to apply the updates as soon as possible.”
Just this week, HTC announced a new phone, the HTC “One.”
Last year, HTC closed a research and development office in Durham, laying off some 50 people.
“The Commission charged that HTC America failed to employ reasonable and appropriate security practices in the design and customization of the software on its mobile devices,” the FTC said. “Among other things, the complaint alleged that HTC America failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities, failed to follow well-known and commonly accepted secure coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties.”
Malware placed on devices could be used to record and transmit information entered into devices, including financial account data and calendar entries, or get access to a user’s location, the commission said.
“We have addressed the identified security vulnerabilities on the majority of devices in the U.S.,” HTC said in an e-mailed statement. “We’re working to roll out the remaining software updates now and recommend customers download them once available.”
HTC America is the U.S. unit of HTC Corp., a Taoyuan, Taiwan-based handset maker that was the top maker of smartphones in the U.S. in the third quarter of 2011 before it lost market share to Apple Inc. and Samsung Electronics Co. It dropped off the list of the world’s five biggest smartphone vendors in the three months ended December.
The settlement requires HTC America to establish a comprehensive security program and undergo independent security assessments every other year for the next 20 years. HTC America and its partners are in the process of deploying the security patches required by the settlement, the FTC said.