On February 23, 2016, the Federal Trade Commission (FTC) announced a settlement with computer hardware maker ASUSTeK Computer, Inc. (ASUS).¹The ASUS settlement highlights the FTC’s position regarding security in the connected device market: connected device manufacturers are responsible for security shortcomings in their devices and are expected to promptly update or patch any identified vulnerability that may compromise the security of the device or the information it processes.

In the ASUS matter, the FTC alleges that certain ASUS routers were sold with a combination of well-known and unique security flaws and that ASUS’s default settings put consumers’ home networks, connected devices, and data at risk. The FTC further alleges that ASUS misrepresented its security features and failed to take appropriate measures to remediate security vulnerabilities once they were known to ASUS. The settlement prohibits ASUS from misrepresenting the security of its routers and associated software. It also requires the company to implement a comprehensive security program designed to address security risks associated with routers and router software and to provide notice to customers about software updates that mitigate security vulnerabilities.

Background

Routers are commonplace devices that permit many devices to use a single Internet connection and manage Internet and other data traffic for the devices connected to them. Software contained on routers typically also provides data security functions, such as firewalls, that serve as a foundation for most networks’ security. ASUS makes and sells routers intended for home networks, where consumers use the routers to connect their modems with devices over wired or WiFi networks. ASUS provided what it labeled “private cloud” functionality on certain routers, which permits the devices connected to the router to use a connected external hard drive for file storage and sharing. ASUS allegedly marketed this “private cloud” functionality as a feature that increased consumers’ privacy and security, including representations that ASUS routers included security features that could “protect computers from any unauthorized access, hacking, and virus attacks” and “protect [the] local network against attacks from hackers.” The FTC alleges that, instead, the private cloud functionality contained “serious” security flaws.

The FTC complaint alleges that several vulnerabilities built into ASUS routers enabled hackers to gain unauthorized access to files and router login credentials on ASUS devices. According to the complaint:

• Certain features of the ASUS private cloud were predicated on an “insecure design.”
• The routers and their firmware were vulnerable to “well-known and reasonably foreseeable vulnerabilities—including multiple password disclosure, cross-site scripting, cross-site request forgery, and buffer overflow vulnerabilities.
• Attackers could exploit these vulnerabilities to gain unauthorized administrative control” of the routers.

The complaint includes examples of these alleged vulnerabilities:

• An attacker could bypass the software log-in screen and access files (including files not designated for sharing) without authenticating the attacker’s identity.
• An attacker could easily obtain the router’s administrator log-in credentials, log in, and change security settings to introduce additional vulnerabilities.
• The ASUS cloud service contained a default setting that would enable the sharing of private cloud files with anyone on the Internet who had the router’s IP address and that this had the effect of enabling the files to be indexed by Internet search engines.

Finally, the FTC alleged that these are not theoretical concerns and that in February 2014, hackers used readily available tools to identify vulnerable ASUS routers and exploited security flaws to gain unauthorized access to more than 12,900 consumers’ connected storage devices.

In addition to misrepresenting the security of its routers, the FTC alleged that ASUS learned about these vulnerabilities from security researchers, but did not notify its customers about steps they could take to mitigate these security risks. According to the FTC, ASUS delayed the development of a software patch to remediate the vulnerabilities and did not notify customers about the software patch designed to address the vulnerabilities until months after it was available, while also providing consumers with incorrect information about whether their router firmware was up-to-date when they used the routers’ software update tool.

FTC Settlement Terms

Under the terms of the settlement, which lasts for twenty years, ASUS agreed not to misrepresent the security of the routers its sells, the security of the information passing through the routers, or the extent to which router software is up-to-date. The settlement also requires ASUS to notify customers whenever ASUS makes available a software update intended to mitigate a security vulnerability by several means:

• On the ASUS website and through any router software user interface
• By email, text message, push notification, or similar methods to customers who registered the device
• As part of any customer service inquiry regarding the relevant router

As is typical for FTC data security enforcement actions, ASUS also agreed to implement a comprehensive security program that is reasonably designed to address security risks to routers made by the company and to protect the privacy and security of information passing through the routers. The program “must contain administrative, technical, and physical safeguards” appropriate to ASUS’s size and complexity, the nature and scope of ASUS’s activities, and the sensitivity of the router’s function or the information passing through the router. ASUS must also obtain biennial third-party assessments of the security program for the next twenty years.

Implications

The ASUS settlement further illustrates the FTC’s position with respect to security and connected device manufacturers: these companies are responsible for security shortcomings in their devices and are expected to promptly update or patch any identified vulnerability that may compromise the security of the device or the information it processes. To reduce risk exposure, manufacturers of connected devices should ensure that the devices they bring to market are free of well-known or reasonably foreseeable security vulnerabilities and that security considerations have been built into product design processes. Manufacturers should also ensure that they have procedures for updating devices for identified security vulnerabilities over the lifetime of the devices.

Companies should consider implementing formal processes and procedures for responding to third-party privacy and security vulnerability reports (whether from customers or researchers) about the devices they sell so they can quickly respond. In its complaint against ASUS, the FTC focused, in particular, on ASUS’s alleged slow response to reports from researchers about identified security vulnerabilities. The FTC claimed that ASUS waited several months to implement patches and failed to appropriately notify customers about the need for and availability of these patches. In contrast, the FTC closed its case against Verizon (regarding routers Verizon provided to customers that used an outdated encryption standard by default) without a settlement, due in part to Verizon’s timely response to remediate vulnerabilities once the company learned of them.

The case also highlights that the FTC expects companies to interact more directly with customers when security vulnerability patches are available for devices or software. This may be difficult in circumstances where connected devices do not have screens or where users have not registered the devices. When building devices, companies may consider how they intend to effectively push out software updates so that the security of devices does not erode over the life of the device, while also maintaining transparency regarding the patching process.

Wilson Sonsini routinely helps companies navigate privacy and data security issues. For more information, please contact Lydia Parnes, Chris Olsen, or another member of the firm's privacy and cybersecurity practice.

---