Asus is an international manufacturer of all kinds of computer and networking equipment.
The FTC, in this case, was not upset with Asus for making hardware that was buggy and not secure, thereby exposing customer’s information, but rather representing that their routers had numerous security features that could protect users from unauthorized access and hackers when it was buggy and not secure.
In fact, under section 5 of the FTC act, as the Wyndham Hotel chain discovered, they could probably have brought an action in either case, but it is much clearer that saying it was secure when it was not is deceptive.
According to the FTC,
ASUS marketed its routers as including numerous security features that the company claimed could “protect computers from any unauthorized access, hacking, and virus attacks” and “protect [the] local network against attacks from hackers.” Despite these claims, the FTC’s complaint alleges that ASUS didn’t take reasonable steps to secure the software on its routers.
The press release goes on to talk about some of the vulnerabilities and the fact that Asus did not address them in a timely or effective manner and did not notify consumers of the vulnerabilities.
Hopefully, this will act as a warning to manufacturers of Internet of Things devices that they better maintain reasonable security or the FTC will explain to them that they should.
In the agreement, Asus agreed to create a security program, have that program watched by the FTC for the next TWENTY years, to notify consumers of security flaws and workarounds for those flaws until they are patched and let the FTC audit them every two years during that period.
For those in the IoT space, doing what is in this agreement without being told will likely keep them out of the cross hairs of the FTC. The FTC is not expecting IoT devices to be bug free, but they are expecting manufacturers to be responsible.
Manufacturers should consider themselves warned.
The FTC press release on the Asus settlement can be found here.