RF equipment manufacturer ASUSTeK Computer, Inc. recently agreed to a consent decree with the Federal Trade Commission (FTC), settling an administrative complaint issued by the agency. The complaint contains two major allegations: (1) security defects in ASUSTek’s home routers put the networks of hundreds of thousands of consumers at risk; and (2) the routers’ insecure “cloud” services compromised consumers’ storage devices, revealing their personal information on the Internet.
The FTC’s complaint avers that ASUSTek falsely marketed routers with an “AiCloud” feature. AiCloud enables consumers to plug a USB hard drive into a router to create a “cloud” storage accessible from any of their devices. ASUStek claimed that the routers contained security features that would protect computers from any unauthorized access, hacking, and virus attacks and protect [the] local network against attacks from hackers. The FTC charges that, in spite of its claims, ASUSTek did not take reasonable steps to secure the software on its routers.
For instance, according to the complaint, hackers could exploit pervasive security bugs in the routers’ web-based control panels to change any of the routers’ security settings without consumers’ knowledge. Hackers in 2014 identified thousands of vulnerable ASUSTek routers and, utilizing flaws in AiCloud, accessed attached USB storage devices to save a text file that warned: "Your Asus router and your documents can be accessed by anyone in the world with an internet connection." The hackers then published 12,937 IP addresses of vulnerable ASUSTek routers and login credentials for 3,131 AiCloud accounts.
The FTC further asserts that ASUSTek did not address the security flaws in a timely manner and did not notify consumers about the risks posed by the vulnerable routers or about the availability of security updates.
The consent decree requires ASUSTek to, among other thing, establish and maintain a comprehensive security program subject to independent audits for the next 20 years, and regularly notify consumers of software updates that will increase data security.
The FTC issues an administrative complaint when it has “reason to believe” that applicable laws and regulations have been violated, and the FTC determines that a proceeding is in the public interest. FTC consent decrees carry the force of law with respect to future actions. Each violation of such a consent decree may result in a civil penalty of up to $16,000.
The FTC has stated that it will continue its efforts to ensure that IoT companies secure the software and devices they market to consumers. Because routers are critical components in securing home IoT networks, it is vitally important that manufacturers ensure that sufficient security is in place to protect consumers and their personal information.
If you would like additional information about this proceeding or matters pertaining to IoT data security, please contact Linda McReynolds at (703) 714 -1318 or Ronald E. Quirk, Jr. at (703) 714-1305 at Marashlian & Donahue.