The FTC wants companies to listen. More precisely, the FTC wants companies to pay attention to and promptly to respond to reports of security vulnerabilities. That’s a key takeaway from the Commission’s recent settlement with ASUSTek (“ASUS”). In its complaint against the Taiwanese hardware manufacturer, the FTC alleged that ASUS misrepresented its security practices and failed to reasonably secure its router software. The Commission cited the company’s alleged failure to address vulnerability reports as one of the its primary concerns. The settlement reiterates the warnings contained in the FTC’s recent Start with Security Guide and prior settlements with HTC America and Fandango: the FTC expects companies to implement adequate processes for receiving security vulnerability reports and addressing them within a reasonable time.
On February 23, the FTC announced its agreement with ASUS to settle charges that security flaws in the company’s routers and connected storage devices placed the home networks of thousands of consumers at risk and exposed sensitive personal information. In several sections of the complaint, the FTC alleges that ASUS failed to adequately respond to reports of security vulnerabilities that allowed hackers to bypass authentication requirements (thereby allowing attackers to directly access consumers’ data) as well as retrieve and modify router login credentials (thereby allowing attackers to modify all router settings). In addition, the FTC alleges that ASUS:
- Promoted a router feature as a way to “safely secure” consumer data, but that feature utilized unsecured FTP (thereby not supporting encryption of data in transit when using the feature);
- Included default settings to make consumer data accessible to the public Internet without requiring any login credentials; and
- Distributed a firmware upgrade tool that misrepresented to consumers that their routers’ firmware was up to date, even though the firmware lacked recent security updates.
The complaint against ASUS also emphasizes the FTC’s view that the fixes in this case were well-known and could be implemented at relatively low cost. For example, ASUS allegedly set the same default login credentials on every router—“admin” as both username and password—and then allowed users to retain those credentials. In addition, the company allegedly failed to update its lists that routers checked to determine whether a firmware update was available, thereby causing unpatched routers to erroneously indicate that their firmware was up-to-date even after security updates were made available. The FTC has repeatedly suggested through its enforcement actions and guidance materials that incorporating security principles into the design and development phases, as well as using common industry tools and processes to detect and address potential security vulnerabilities, constitutes part of “reasonable security” expected of companies subject to FTC jurisdiction.
The FTC’s Enforcement Action Against ASUS Emphasizes the Following Key Takeaways for Companies:
Implement a Process for Promptly Addressing Reports of Security Vulnerabilities
The FTC alleges that the company received several reports regarding vulnerabilities in its products. The vulnerability reports came from consumers, security researchers, and the media. For one vulnerability, ASUS allegedly took four months to issue a fix and another four months to notify consumers. For another vulnerability, the company allegedly took seven months to issue a partial fix, but did not fully patch the vulnerability and did not alert consumers for another month. And for other vulnerabilities, the company allegedly failed to take action to address the identified vulnerabilities for over two years. The FTC’s complaint alleges that ASUS’s delay in responding was, at least in part, an unfair security practice.
The unsolicited reports that ASUS allegedly received came from a variety of sources: some were publicly announced, others were disclosed privately to the company. For many companies, sorting through unsolicited reports that may appear via social media, blogs, comment pages and the like can be a daunting task. It’s hard to isolate the signal from the noise. To address the risk of missing a report, companies may wish to consider following some advice that the FTC offered in its Start with Security Guide: consider setting up a dedicated, public channel for receiving vulnerability reports (e.g., firstname.lastname@example.org).
Promptly Notify Consumers about Vulnerabilities and Available Fixes
The settlement also makes clear that it is not enough to fix security loopholes; companies must provide consumers with clear information about known security risks and how to mitigate them. One can infer from the complaint that providing consumers with notice one or more months after releasing a firmware update to address substantial security vulnerabilities is too long a wait.
The settlement also provides information about the manner in which the FTC expects companies to inform consumers of security updates. Under the settlement, the company must notify consumers by:
- Posting clear and conspicuous notices on the company’s primary, consumer-facing website and, if practicable, within the user interfaces of its devices;
- Sending emails, text messages, push notifications, or similar communications to registered consumers; and
- Providing all consumers who contact the company to complain or inquire about affected devices with information about updates.
The settlement also requires that the company give consumers the chance to provide their contact information during the setup or configuration of devices to facilitate the delivery of security notices.
Similar to other consent orders in data security cases, ASUS agrees to implement a comprehensive, written security program that will be subject to biennial, independent assessments over the next twenty years. As with all FTC settlements, the requirements will be binding only on the company subject to the consent order. But the Third Circuit Court of Appeals has suggested that the FTC’s consent orders may be sufficient to put companies on “fair notice” of the Commission’s security standards, rendering the settlement relevant to the data security practices of all businesses.
The consent order is open for public comment through March 24, 2016.