In February, the FTC settled claims against Taiwan-based computer hardware maker ASUSTek Computer, Inc. over allegations the company misled consumers about the security of its routers and cloud services.  ASUS routers are used primarily in private homes to establish internet connections for personal devices such as laptops, tablets, and phones.  The cloud services were provided through the home network established by the router, and typically allowed everyone in the home to access and store information on an external hard drive or print to a networked device.  The complaint  alleged that critical security flaws in ASUS’s routers put the home networks of hundreds of thousands of consumers at risk by allowing hackers to use the internet to gain control over the routers and connected devices, and that the routers’ insecure “cloud” services led to the compromise of thousands of consumers’ connected storage devices, exposing their sensitive personal information.

The FTC asserted that ASUS acted deceptively and engaged in unfair trade practices.  In a February 23 press release, the FTC stated that ASUS marketed its routers as including numerous security features that the company claimed could “protect computers from any unauthorized access, hacking, and virus attacks” and “protect [the] local network against attacks from hackers.”  The FTC indicated that it believed that ASUS’s routers were particularly vulnerable to hacking, that its cloud services failed to use secure connections or encrypt traffic, and that ASUS’s software update tool inaccurately promised the most current updates.

Specifically, the complaint alleged:

  • Security bugs in the ASUS router’s web-based control panel allowed hackers, armed only with the IP address associated with the device, to change any of the router’s security settings without consumers’ knowledge;
  • Design flaws in ASUS routers that set – and allowed consumers to retain – the same default login credentials on every router: username “admin” and password “admin”;
  • Failure to address security flaws in a timely manner and to notify consumers about the risks posed by the vulnerable routers;
  • Failure to notify consumers about the availability of security updates; and
  • Failure to secure vulnerabilities in ASUS’s AiCloud and AiDisk services which allowed consumers to plug a USB hard drive into the router to create their own “cloud” storage accessible from any of their devices.  The complaint alleged that a vulnerability in the AiCloud service allowed hackers to bypass its login screen and gain complete access to a consumer’s connected storage device without any credentials, simply by accessing a specific URL from a Web browser. Similarly, the complaint alleged that the AiDisk service did not encrypt consumers’ files in transit, and its default privacy settings provided – without explanation – public access to consumers’ storage devices to anyone on the Internet.

Even without the marketing promises, according to the FTC, these alleged failures constituted unfair business practices.  According to the FTC, hackers used readily available tools to locate vulnerable ASUS routers and exploited these security flaws to gain unauthorized access to over 12,900 consumers’ connected storage devices in February 2014.

The proposed consent order will require ASUS to establish and maintain a comprehensive security program subject to independent audits for the next 20 years.

The FTC has taken another step in using a settlement to communicate its expectations as to what conduct constitutes reasonable security measures.  For consumer-focused products, the ASUS settlement reveals that the FTC expects businesses to provide security controls that match the sophistication of the likely user.  The ASUS security controls assumed its users would appreciate the risks and benefits of the various settings available on its routers and that its users would understand basic security concepts such as changing default passwords and other settings or having updates pulled rather than pushed to devices.  The FTC’s concerns were compounded by ASUS’s less-than-clear instructions and directions on helping the user make knowledgeable choices.

The settlement also reveals two other common points of tension.  First, it is likely that ASUS designed its router default configuration assuming that consumers would prefer the functionality of an easy-to-use out of the box network to tighter security.  For example, many developers have heard users complain about having to enter yet another password to gain access to the benefits of a system.  Thus, ASUS could have assumed that most purchasers of its routers would not want additional controls before accessing the “cloud” storage function.  Yet, it is likely that the FTC concluded that most consumers would not understand the risks and benefits of the alternatives.  Nor was the system designed or the instructions presented in a way that would enable a consumer to make the right choices.  Likewise, most sophisticated computer technicians want the ability to control when updates are retrieved to avoid unknown bugs being included with the update or because the update from one vendor might cause problems with other application running within that network.  Thus, ASUS’s decision to require updates to be pulled by the user rather than pushed by the manufacturer might seem reasonable at first.  Again, however, most consumer are not this sophisticated.  What is clear is that information security needs to be carefully considered in all aspects of a product design, marketing, and sales – a point which will take on more significance with the growth of the Internet of Things.

Second, the FTC never explains why having only the IP address could allow a hacker to take over a router or where in the application clear text passwords for the administrative controls persisted.  It is likely a vulnerability linked to the creation of a “backdoor” access point to the device.  A backdoor is often programmed into a device to help consumers when they have forgotten their passwords, or to allow manufacturers to service devices remotely.   Indeed the benefits and risks of such backdoors are central in the current debate between Apple and the FBI.

In sum, through this settlement the FTC appears to be suggesting that businesses better understand their user population.  It is not always the case where product functionality should trump data security controls.  Indeed, it may be safer to use the best security controls as the default for consumer devices and provide a user friendly guide such as a set up wizard which enables the user to make informed choices about functionality and security.