The American arm of Windows and Android device maker HTC has settled charges with the US Federal Trade Commission (FTC) that it failed to secure its device software, which left potentially millions of customers vulnerable to information theft.
The FTC alleged that HTC "failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities, failed to follow well-known and commonly accepted secure coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties," according to a news release.
The FTC contended that HTC's devices contained a number of vulnerabilities that could have allowed attackers to send text messages, record audio or install data-stealing malware, affecting millions of users.
One well publicised incident occurred in October 2011, when HTC confirmed that its Android phones contained a major vulnerability that could be exploited by a third-party to steal personal information from users.
Another, last February, involved some HTC mobile devices containing a software bug that could enable miscreants to steal a user's Wi-Fi credentials and network name.
The agency also called out the "insecure implementation" of two pieces of diagnostic and monitoring software – Carrier IQ and HTC Loggers – deemed threats by some security researchers because end-users were not made aware of the applications' behaviors and weren't given the opportunity to opt-out.
In addition, HTC America was accused by the FTC of creating user manuals that contained deceptive wording.
The settlement with HTC America requires the company distribute fixes for any outstanding vulnerabilities, as well as establish a "comprehensive security program" and submit to security audits every other year for 20 years.
Further, HTC America is barred from "making any false or misleading statements about the security and privacy of consumers' data on HTC devices."
An HTC America spokesperson did not immediately reply to a request for comment.