Detour – Rerouting: Unsecure Routers Lead to FTC Action
What the News?
ASUSTeK Computer Inc. a company that sells routers for home use and has touted the security features of its devices and services recently reached a proposed consent agreement over Federal Trade Commission charges that serious security flaws in its system compromised the home networks of hundreds of thousands of consumers. Following the settlement, the company will be required to establish and maintain a comprehensive security program and will be subject to 20 years of independent audits. This is an interesting case in which the FTC is demonstrating a focus on not only claims made by a company, but on data security.
What Went Wrong?
ASUS, a company in the business of marketing home routers, touted the security features of its systems. According to the FTC, the company claimed that its routers could “protect computers from any unauthorized access, hacking, and virus attacks” and “protect [the] local network against attacks from hackers.” The company also marketed its cloud services as a means for consumers to engage in “selective file sharing” and as a helpful tool to safely access data. Despite these claims, the systems were actually vulnerable to hackers based upon serious design flaws including a standard username and password permitted on multiple systems: “admin” and “admin." Hackers were able to use the various vulnerabilities to access consumer web traffic and access consumers’ cloud storage. Further, when security flaws were brought to ASUS’ attention, the FTC alleges that the company failed to act in a timely manner to address the issues and notify consumers of necessary updates.
As the “Internet of Things” continues to grow and consumers increasingly rely upon Internet-connected devices to share and store their sensitive information, the onus is on technology companies to ensure reasonable security measures and practices. Companies should also take care to tailor their marketing messages to ensure that all claims are adequately substantiated. As demonstrated by this recent FTC action, failure to take appropriate measures can lead to an enforcement action.