FTC Charges Computer Hardware Maker of Flaws in Insecure Home Routers and Cloud Services, Putting Consumers at Risk
The Federal Trade Commission's consent order issued to Taiwanese corporation ASUSTeK Computer, Inc. (ASUS) is the Commission's latest step toward ensuring companies secure the software and devices provided to consumers. The FTC claims that critical security flaws and vulnerabilities in the routers manufactured by ASUS put at risk the privacy of the home network of thousands of consumers. Vulnerabilities in the company's cloud services also led to the exposure of consumers' sensitive personal information through web-connected consumer storage devices. ASUS agreed to settle the FTC's charges, and the consent order will require the computer hardware maker to maintain a comprehensive security program aimed to address security risks and protect the privacy, security, confidentiality, and integrity of its consumers' information. ASUS will also be subject to independent audits over the next 20 years.
The ASUS consent order comes amidst the growing age of the Internet of Things. The FTC's charges against ASUS (and emphasis on certain actions and inactions of the company) supply another layer to the considerations of companies in this IoT space in order to comply with Section 5(a) of the Federal Trade Commission Act.
The following considerations were significant to the Commission's charges that the company's routers and cloud services put consumer privacy at risk:
- ASUS did not take reasonable steps to secure the software on its routers and cloud features.
ASUS is a computer hardware maker that, among other things, sells routers and related software and services for consumer use. While routers typically function to act as the first line of defense in protecting consumer devices on the local network (for example, computers, smartphones, and other connected appliances against malicious internet traffic), the web and mobile applications on ASUS' routers included multiple vulnerabilities that allowed attackers to gain unauthorized access to consumers' files and login credentials. To exploit these vulnerabilities, attackers only needed to know the consumer's IP address.
- ASUS failed to notify consumers about the vulnerabilities or advise consumers to take simple steps to protect themselves.
ASUS advertised that its routers could "protect computers from any unauthorized access, hacking and virus attacks" and instructed users to enable the router's firewall to protect their local networks against hackers. Users configured the router settings through an admin console, which required a username and password. ASUS preset the default username to "admin" and password to "admin" on all of its routers and allowed consumers to retain these same credentials. The admin console also provided a tool that allowed consumers to check whether the router was using the latest available firmware. Many users included ASUS software features like AiCloud and AiDisk, which allowed consumers to wirelessly access and share various files through their ASUS router through a USB storage device. The company promoted AiDisk as a way to "safely secure and access your treasured data through your router", but the file transfer protocol supporting AiDisk did not support transit encryption and its default privacy settings provided public access to consumer storage devices to anyone on the internet. The company's default privacy settings did not explain this to consumers. Attackers could also exploit vulnerability in the AiCloud service to bypass the log-in page to gain complete access to a consumer's connected storage device.
- ASUS had notice of certain design flaws in its routers, and ASUS didn't mitigate by timely addressing the flaws.
The FTC complaint indicates that several individuals notified the company about its AiDisk cloud vulnerabilities. ASUS subsequently released updated firmware (which updated certain default settings and displayed a warning messages to consumers when certain protections were not selected), but the company did not notify consumers about the availability of the firmware update. It was not until eight months after that initial notification that ASUS emailed its customers to notify them of firmware updates addressing these and other security risks raised by consumers.
While the above considerations were specifically highlighted by the FTC, the complaint provides additional details of the security features of the company's routers and cloud services that led to the issuance of the consent order.
On the heels of the ASUS consent order, here are a few lessons from the Commission to companies operating in this same IoT space:
- Proactively design security (testing, risk assessment and design reviews) at the outset.
- Consider how consumer default settings implicate consumer and software security.
- Pay attention to security warnings and notice of potential breaches of security.
- Put in place protocols to notify consumers of updates to security.
- Consider the ASUS model and how weak protocols balance against consumer expectations in security.
These lessons are not exhaustive, and the important takeaway is to be proactive in securing the adequacy of your security protocols. Companies, particularly those imbedded in the growing web of connected devices, should be thinking about the ASUS model and giving careful consideration to the suggestions from the FTC.
For Further Information
If you require further information regarding this matter, please contact David Katz, any member of our Privacy and Data Security Practice Group, or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice.
 Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a).
For more information, contact:
The articles published in this newsletter are intended only to provide general information on the subjects covered. The contents should not be construed as legal advice or a legal opinion. Readers should consult with legal counsel to obtain specific legal advice based on particular situations.