ASUS FTC Settlement Over Router Security Breaches

ASUS, a Taiwan-based computer company, has recently agreed to settle with the Federal Trade Commission over charges stemming from insecure routers and cloud services. The complaint alleged that ASUS compromised the personal information of hundreds of thousands of consumers with hardware that failed to meet federal regulations for security. The FTC found that ASUS did not address security flaws in a timely manner and did not communicate properly the risk these flaws posed to its customers. With the rapid growth of the Internet of Things, customers have more information at risk than ever before and secure routers are pivotal in protecting that information.

The Internet of Things

The Internet of Things is an increasingly expanding network of physical objects that have the ability to connect to the internet. When embedded with software, everyday electronics like washing machines, lamps, and watches can have the ability to connect to the internet and communicate, allowing remote access to the object. This technology has expanded beyond commercial products and has penetrated the industrial market such as use in drills of oil rigs and optimization of supply chain networks. Additionally, consumers have the ability to hook up their houses to the Internet of Things, allowing owners remote access to their security systems and any other connected device. If these systems are compromised due to ineffective router security, there is no limit to the amount of information or data that could be at risk.

Risky ASUS Routers

Among the vulnerabilities of the ASUS routers, an attacker had the ability to remotely access the routers in order to alter security settings and configurations. This would allow the attacker to access files stored on the connected devices. According to the complaint, a hacker had the ability to bypass the password protection of these routers and make changes without the owner knowing. ASUS marketed its routers claiming it had various security features that protected customers from unauthorized access and attacks; however, the FTC claims that the company did not take the appropriate steps to ensure customer protection.

In particular, the ASUS cloud-based systems were at risk. Through ASUS’s AiCloud system, owners have the ability to plug a USB hard drive into their router and create a cloud storage device that allows them access from anywhere. By exploiting a vulnerability in the AiCloud service, a hacker could bypass the login screen and access any information stored by the owner. Additionally, the FTC’s charges stated that ASUS did not adequately encrypt consumer files that were transferred from one device to another, allowing public access to these files to anyone with an internet connection.

Settlement Terms

We’ve written previously here, about the FTC’s authority. Under the terms of its settlement with the FTC, ASUS must maintain a comprehensive security program that is subject to independently performed audits for the next 20 years. In addition to the security program, the FTC is ordering that the company educate its customers about software updates and measures they can take to prevent security flaws. One way ASUS can help educate customers is through offering direct security notices (through email, text message, etc.) to ensure its customers are adequately protected. Finally, the FTC’s order will prevent the company from making any misleading statements or claims regarding the security of its products.

Now that the Internet of Things is expanding, and potentially any electronic can be manufactured to include internet connectivity, the need for consumer protection is at an all-time high. The FTC is making an ongoing effort to protect consumers from insecure software and devices. This settlement sends a message to all producers that information and data security must be a top priority when developing their products.

For more information about the Internet of Things and staying protected, contact Revision Legal’s team of experienced Internet attorneys through the form on this page, or call 855-473-8474.

Image courtesy of Flickr user Sam Churchill.

What the FTC Consent Order Required of ASUS

The FTC’s settlement with ASUS was not merely a slap on the wrist. Under the consent order, ASUS was required to establish and maintain a comprehensive security program subject to independent audits every two years for a period of twenty years. The order specifically required ASUS to: (1) designate an employee responsible for the security program; (2) identify material internal and external security risks; (3) design and implement safeguards to control those risks; and (4) evaluate and adjust the security program in response to new risks. Failure to comply with the order exposed ASUS to civil penalties of up to $16,000 per violation per day under 15 U.S.C. § 45(l).

The settlement also required ASUS to notify customers of security updates and provide clear, prominent notice of available patches. For a company that had marketed its routers as “the world’s best,” this was a significant public acknowledgment that those representations were, at minimum, misleading.

The FTC’s Authority Over Data Security

The ASUS case illustrates how the FTC enforces data security obligations under Section 5 of the FTC Act, 15 U.S.C. § 45, which prohibits unfair or deceptive acts or practices in or affecting commerce. A data security practice is “unfair” under Section 5 when it causes or is likely to cause substantial harm to consumers that they cannot reasonably avoid and that is not outweighed by countervailing benefits. The FTC has successfully applied this framework to dozens of companies since its first major data security case, In the Matter of Eli Lilly and Co., in 2002.

Critically, the FTC does not require a data breach to have actually occurred. The agency can bring an enforcement action based on the existence of unreasonable security practices alone. In ASUS’s case, the practices at issue included: failure to test its software and firmware for security vulnerabilities; failure to maintain an adequate process for receiving vulnerability reports from researchers; and failure to provide timely security updates. The FTC’s position is that promising security features you have not implemented is a deceptive trade practice under Section 5(a).

Liability Exposure for IoT Manufacturers

The ASUS settlement has direct implications for any company that manufactures or sells connected devices. Under the FTC’s enforcement framework, companies can face liability in three scenarios:

• Misrepresentation of security features. If marketing materials claim a device is “secure” or has specific protective capabilities, those representations must be accurate and substantiated. Puffery is not a defense when specific security claims induce consumer purchasing decisions.
• Failure to patch known vulnerabilities. Once a manufacturer is on notice of a security flaw, failure to release a timely patch and notify affected consumers is itself an unfair practice. Courts and the FTC have found that the relevant standard is what a reasonable company in the industry would do, not merely what the law explicitly requires.
• Inadequate default configurations. Shipping devices with default passwords, open ports, or disabled encryption may constitute an unfair practice when the risk of harm is foreseeable and the cost of remediation is low.

State Law Obligations for IoT Security

Federal enforcement is only part of the legal landscape. California’s SB-327, which took effect January 1, 2020, was the first state law specifically targeting IoT security. It requires manufacturers of connected devices to equip those devices with “reasonable security features” appropriate to the nature and function of the device. The California law specifically prohibits default passwords that are identical across devices of the same model — a practice that was central to the ASUS complaint. Oregon followed with a similar law in 2020. Companies selling into these states must conduct a security review of their device configurations before launch.

Beyond these IoT-specific laws, manufacturers face potential tort liability under negligence and products liability theories. If a router’s foreseeable insecurity leads to unauthorized access and resulting harm — identity theft, financial loss, or even physical injury through compromised smart home systems — the manufacturer may face common law claims in addition to regulatory enforcement. The economic loss rule has been eroding in IoT contexts as courts grapple with purely digital harms.

What Businesses Should Do Now

If your company manufactures, distributes, or resells connected devices, the ASUS settlement provides a clear roadmap for the minimum security program you need. At a practical level, that means: conducting a security assessment of your current product line; reviewing all marketing materials for accuracy regarding security capabilities; establishing a vulnerability disclosure policy and a defined patch release timeline; and ensuring your terms of service do not disclaim liability in ways that conflict with the safety representations you make to consumers.

Distributors and retailers are not immune. If you place an ASUS-style device in the stream of commerce, you may bear secondary liability under FTC precedents for knowing participation in a deceptive scheme. This is particularly true if you make independent security representations in your own marketing materials.

If your company has received an FTC civil investigative demand or is facing a data security investigation, or if you need help building a compliance program for your IoT product line, contact Revision Legal’s internet law attorneys through the form on this page or call 855-473-8474.