The FTC and Cybersecurity – Part Two

2 minute, 30 second read.

Welcome back to the CRO blog. Last week we began a series of three blog posts by analyzing the first of three Federal Trade Commission court cases, with FTC vs. Wyndham Worldwide Corporation. This week we’re moving onto a lawsuit filed by the FTC against ASUSTek Computer, Inc. back in 2016.

Who Is ASUS and Why Are They Important?

ASUS is a Taiwanese based computer hardware manufacturer. You can buy gaming laptops, full desktop systems, routers, monitors, and much more from ASUS. The Federal Trade Commission filed a complaint against ASUS, charging that critical security flaws in its routers put thousands of consumers at risk and violated the provisions of the Federal Trade Commission Act.

The Facts:

The complaint was filed by the FTC on July 18, 2016. This is a product that had been in the marketplace for quite some time, most of 2013 and then into 2014. And then, the FTC ultimately investigated and acted two years later.

What ASUS did is, they promised to provide super secure routers. Not only did ASUS promise security, but they also provided some additional functionality in those routers. Two different products called AI cloud and AI Disk. These were both advertised heavily as being, private, secure clouds. What you could do is, you could plug a USB storage device directly into these ASUS routers and it would basically create a little server for those files, so that you could access them from the internet.

Ultimately, ASUS had advertised its routers in a certain fashion but produced products that really had poor built-in security. They were obviously not designed with security in mind. One important thing to remember about the FTC is that their original bread and butter is false advertising, kind of basic consumer protection type cases. They’re really up on advertising and representations that are made in advertising.

How Did the FTC Become Aware of the Issue?

In this situation, a third-party security researcher publicly disclosed these issues in June 2013. In November of 2013, the security researcher contacted ASUS again. ASUS didn’t do anything. Then it was actually not until January 2014 that a number of European media outlets published stories about these security risks. It was only after these stories that ASUS began to actually act.

Failures of the “Respond and Recover” Step:

ASUS did take some action after that January 2014 story. They had created some firmware updates. The problem is, that they didn’t tell anyone about them. Right? They didn’t make a concerted effort to inform their customers that they had these firmware updates.

On February 1, 2014, a group of hackers exploited all these vulnerabilities. There were thousands of consumers who were affected. People had put their personal data up online, unknowingly, without using these products. That data was stolen, and a lot of people got injured. it was after this, that the FTC takes an interest in the matter, and goes and looks at the whole overall process and what happened. That’s when they found about the security researcher who contacted ASUS multiple times, and ASUS didn’t do anything. You can see that over the course of these events, ASUS had the opportunity to follow the cybersecurity framework, the response, and the recovery stages. They just didn’t do a good job.

If you’d like to dig deeper into the very technical FTC’s lawsuit against ASUS, we encourage those who are curious to investigate this case. You can find it online at the FTC’s website.

Check back next week to find out what FTC case we discuss next.

Leave a Reply

one × 2 =