ASUS Settles FTC Charges of Privacy Violations Caused by Router Security Flaws | Practical Law

ASUS Settles FTC Charges of Privacy Violations Caused by Router Security Flaws | Practical Law

ASUSTeK Computer, Inc. agreed to settle FTC charges that security flaws in its wireless routers exposed customers' personal information on the internet, and that it did not address the flaws in a timely manner.

ASUS Settles FTC Charges of Privacy Violations Caused by Router Security Flaws

Practical Law Legal Update w-001-4644 (Approx. 4 pages)

ASUS Settles FTC Charges of Privacy Violations Caused by Router Security Flaws

by Practical Law Intellectual Property & Technology
Published on 24 Feb 2016USA (National/Federal)
ASUSTeK Computer, Inc. agreed to settle FTC charges that security flaws in its wireless routers exposed customers' personal information on the internet, and that it did not address the flaws in a timely manner.
On February 23, 2016, the FTC announced in a press release that ASUSTeK Computer, Inc. (ASUS) agreed to a consent order settling FTC charges that security flaws in its wireless routers exposed customers' personal information on the internet.
According to the FTC's complaint, ASUS marketed their routers as including strong security features that it claimed would protect computers and local networks from hackers. However, the routers and related cloud software contained several flaws including:
  • Well-known security vulnerabilities, such as the ability to bypass authentication, weak default passwords, and other critical issues allowing unauthorized individuals to gain access to the devices and users' data.
  • Default settings enabling public access to customers' documents kept on attached storage.
  • Unclear and misleading security setting configuration instructions.
Despite being told about the security vulnerabilities, ASUS did not take quick corrective action, waiting eight months to notify registered customers that firmware updates were available. Hackers exploited those security flaws to access the data storage devices of over 12,900 ASUS customers in February 2014.
The FTC's complaint alleged that ASUS's failure to employ reasonable security practices in the design and maintenance of its router and cloud software subjected consumers to substantial injury that could have been prevented or mitigated by simple, low-cost measures. Specifically, the FTC asserted that ASUS failed to:
  • Address security flaws in a timely manner.
  • Adequately notify customers about:
    • the risks posed by vulnerable routers; and
    • new security updates.
Under the proposed consent order, for the next 20 years ASUS must, among other items:
  • Establish and maintain a comprehensive security program subject to independent audits.
  • Actively notify customers about software updates or other steps they can take to protect themselves from security flaws.
  • Refrain from misleading consumers about the security of the company's products, including whether a product is using up-to-date software.
The ASUS settlement serves as a reminder that security practices remain a high priority for the FTC. Businesses offering internet connected consumer-based devices should consider:
  • Routinely performing security architecture and design reviews, vulnerability testing, and code reviews.
  • Establishing default settings that provide consumers' with security and privacy.
  • Establishing processes for receiving and addressing security vulnerability reports.
  • Providing clear and adequate notice to consumers of known vulnerabilities and the corrective steps they must take.
For more information on FTC data security standards, see Practice Note, FTC Data Security Standards and Enforcement. Additional FTC guidance on the security of connected devices may be found at FTC: Careful Connections: Building Security in the Internet of Things.