FTC Issues Sanctions for Insecure Software

The Federal Trade Commission (FTC) released a press release that describes the sanctions applied to a company whose insecure software products impacted hundreds of thousands of consumers. The company makes routers for home networks and claimed the products had security features to protect computers from unauthorized access and other serious concerns.

The FTC argued that the software was trivially vulnerable to a variety of serious attacks, and the company did not take reasonable steps to secure it. This is important because it reflects a growing trend of the Federal government holding corporations accountable for and issuing sanctions for inadequate software security.

The Security Defects in Question

The FTC's complaint indicates that the software had numerous critical security defects such as:

• Multiple vulnerabilities that would allow attackers to gain unauthorized access to consumers' files and router login credentials – exploitable just by knowing the router's IP address.
• No encryption was used to transfer files over insecure networks.
• No authentication was required to access files on FTP servers hosted on user networks.
• The router firmware and administrative console were vulnerable to:
  • multiple password issues
  • cross-site scripting
  • cross-site request forgery
  • buffer overflow vulnerabilities
• Attackers could exploit these vulnerabilities to gain unauthorized administrative control over consumers' routers.

What the FTC Claimed

The following is taken verbatim from the FTC filing to describe the negligence and what should have been done as part of normative, due care software development. I've included a large portion of the ruling to illustrate the types of activities that organizations need to adopt and embrace in order to build secure software and bolded some key points to consider.

Respondent has engaged in a number of practices that, taken together, failed to provide reasonable security in the design and maintenance of the software developed for its routers and related "cloud" features. Among other things, respondent failed to:

1. perform security architecture and design reviews to ensure that the software is designed securely, including failing to:
   • use readily-available secure protocols when designing features intended to provide consumers with access to their sensitive personal information…
   • implement secure default settings…
   • prevent consumers from using weak default login credentials to protect critical security functions or sensitive personal information…
2. perform reasonable and appropriate code review and testing of the software to verify that access to data is restricted consistent with a user’s privacy and security settings;
3. perform vulnerability and penetration testing of the software, including for well-known and reasonably foreseeable vulnerabilities … such as authentication bypass, clear-text password disclosure, cross-site scripting, cross-site request forgery, and buffer overflow vulnerabilities;
4. implement readily-available, low-cost protections against well-known and reasonably foreseeable vulnerabilities, as described in (c), such as input validation, anti-CSRF tokens, and session time-outs….

The FTC Ruling: What the Company is Now Required to Do

The FTC ruling describes what the company must do to comply with the law, and below is a summary. NOTE: much of this is verbatim from the ruling.

• Establish and maintain a comprehensive security program for 20 years (yes, 20 years!)
• Identify and address security risks related to the development and management of new and existing devices, and protect the privacy, security, confidentiality, and integrity of information
• Assess the sufficiency of the safeguards
  • employee training and management, including in secure engineering and defensive programming;
  • product design, development, and research;
  • secure software design, development, and testing, including for Default Settings;
  • review, assessment, and response to third-party security vulnerability reports, and
  • prevention, detection, and response to attacks, intrusions, or systems failure
• The design and implementation of reasonable safeguards to control the risks identified through risk assessment, including through reasonable and appropriate software security testing techniques, such as
  • vulnerability and penetration testing;
  • security architecture reviews;
  • code reviews; and
  • other reasonable and appropriate assessments, audits, reviews, or other tests to identify potential security failures and verify that access to Covered Devices and Covered Information is restricted consistent with a user's security settings
• The company must have a qualified third-party conduct security assessments on the security program every 2 years and submit the results to the FTC for review

Implications

The FTC was blunt in its accusation that the company failed to integrate an adequate level of security into the design, development, testing, and maintenance of the software. Unfortunately, these observations are not surprising or unusual as many organizations fail to implement even generally accepted security practices. This particular organization just happened to be noticed by the FTC, but they are not alone.

The implications of this ruling are huge! The US government has effectively set minimal acceptable standards for software security and is holding corporations liable for failing to live up to the security claims made by such organizations. In this case, the company involved in the FTC settlement was "engaged in a number of practices that, taken together, failed to provide reasonable security in the design and maintenance of the software."

Additionally, the government is raising the application security bar and stating that security training, security engineering, security testing, security architecture reviews, and other application security practices are no longer "nice to have" but are now part of the standard of due care for designing, building, testing, and maintaining software.