HTC settles FTC charges over security flaws on phones, tablets

By Brendan Sasso - 02/22/13 01:45 PM ET

Mobile device maker HTC settled with the Federal Trade Commission on Friday over charges that it failed to provide adequate security for its smartphones and tablet computers, putting the sensitive information of millions of customers at risk.

The FTC said HTC, which makes devices that run Android and Windows software, failed to employ "reasonable and appropriate security practices." The commission said HTC did not provide its engineering staff with proper security training, failed to test its devices for security flaws and failed to follow secure coding practices.

As a result, millions of HTC devices were vulnerable to viruses that could send text messages, record audio or download additional viruses without the user's knowledge, according to the FTC.

The settlement requires HTC to patch the vulnerabilities, adopt a comprehensive security program and submit to independent security audits every other year for the next twenty years.

"Privacy and security are important, and we are committed to improving practices that help safeguard our customers' devices and data," HTC said in a statement.

"Working with our carrier partners, we have addressed the identified security vulnerabilities on the majority of devices in the U.S. released after December 2010. We're working to roll out the remaining software updates now and recommend customers download them once available," the company said.

The FTC's complaint explains that HTC installed Carrier IQ, a software that logs information about the customer's activity, on millions of Android-based phones. HTC installed the software at the request of network operators Sprint and AT&T, who use the information to analyze network and device problems.

The existence of Carrier IQ caused an uproar in 2011 when a developer discovered that it was tracking information such as the users' calls, text messages, Internet browsing history and even physical location.

Many device makers use Carrier IQ, but according to the FTC, because of HTC's security flaws, the company enabled third-party applications to intercept the sensitive information.

The commission's settlement was with HTC America, a subsidiary of HTC Corp., which is based in Taiwan.

Also on Friday, the FTC announced that it will hold a one-day forum on June 4 to discuss malware, viruses and other threats to mobile devices.