Device manufacturers that promise to secure these home networks, but fail to do so, may face increased scrutiny from the FTC following the agency’s latest enforcement action against a manufacturer of network routers and “cloud” based services that allegedly failed to establish and implement reasonable security practices necessary to protect consumers’ privacy.
Enforcement Action Reflects Agency’s Further Steps to Police Security and Privacy Practices for Firms Operating in the Internet of Things Marketplace
In the latest FTC enforcement action involving the emerging Internet of Things (“IoT”) marketplace, the FTC released a consent decree against ASUSTeK Computer, Inc. (“ASUS”), a manufacturer of network routers and “cloud” based services. In its original complaint the FTC alleged that ASUS failed to take the necessary steps to ensure the software on these devices was secure, even after receiving repeated notices of potential security holes. To remedy these issues the FTC entered into a consent decree with ASUS that requires the company to undertake numerous remedial steps to address the security issues and to maintain a comprehensive security program subject to independent audits for the next twenty years.
A statement from the agency’s Director of the Bureau of Consumer Protection, Jessica Rich, reaffirms the agency’s intent to continue to police the IoT marketplace:
The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks. Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.”
This is not the first time the FTC has pursued IoT companies for alleged security failures. As we have previously explained, the FTC recently concluded that IoT companies must incorporate multi-layered privacy and security into the design of connected devices. Entities that have failed to do so may be subject to greater scrutiny by the FTC.
Network Router Manufacturer Allegedly Failed to Fix Security Holes or Notify Customers in a Timely Fashion
According to the FTC’s complaint, ASUS failed to take reasonable steps to secure its devices and, as a result, put consumers and their personal information at risk. For example, although the company marketed its routers as equipped with numerous security features that could protect consumers from unauthorized access, firmware on these devices allowed hackers to: 1) bypass authentication screens and gain unauthorized access, and, 2) exploit password disclosure vulnerabilities to gain access to consumer files. Further, the FTC alleged that ASUS failed to mitigate the harm arising from these security holes by failing to take prompt action to notify its customers of these security issues, or to inform their customers of software security updates that were available. The FTC also faulted ASUS for failing to respond to information provided by third-party security researchers concerning these security holes.
These security issues were eventually exploited by hackers using readily available tools to locate vulnerable routers produced by ASUS to gain unauthorized access to over 12,900 consumers’ connected storage devices.
Consent Decree Imposes Significant New Operational Security Conditions on Router Provider
The FTC’s consent decree lays out a stringent set of conditions that ASUS must implement within the next sixty days to avoid further enforcement action. Under the decree ASUS must:
- Comprehensive Security Program – Establish and maintain a comprehensive security program to address security risks related to the development and management of new and existing routers, and protect the privacy security, confidentiality, and integrity of the company’s routers. The program must:
- be documented in writing, and overseen by a designated employee;
- include a comprehensive risk assessment of material internal and external risks, including in areas involving produce and software design;
- utilize software security testing techniques.
- Biennial Assessments for the Next 20 Years – In addition, ASUS must obtain biennial assessments from a qualified, objective, independent third-party professional to produce assessments for the next twenty years. Materials relied upon to prepare the assessment must be maintained for a period of at least three years.
- Notice to Consumers – Provide notice to consumers when a software update is available, or when ASUS is aware that consumers should be taking reasonable steps to mitigate a security flaw.
Lessons Learned: Actively Monitor, Review and Resolve Security Vulnerabilities That May Arise
This case offers important reminders for network router and other device manufactures operating in the IoT marketplace. To avoid scrutiny from privacy regulators such companies should:
- Ensure that any device firmware includes basic security functionality that employs proper user authentication principles.
- Test for known software vulnerabilities and implement well-known, low-cost security measures to address such risks.
- Maintain an adequate process for accepting, and acting upon, legitimate third-party reports of software security vulnerabilities in firmware or other components of your device or network.
- Accurately disclose the status of current firmware, including its capabilities to address and resolve known security vulnerabilities; and, provide timely notice to registered customers of software fixes to known network vulnerabilities.
Before the consent decree is finalized it will be published in the Federal Register. Interested parties may file comments on the terms of the decree during the next thirty days, or no later than March 24, 2016, after which time the FTC will decide whether to make the proposed decree final.