On May 22, 2017, New York Attorney General Eric T. Schneiderman announced that the AG’s office has reached a settlement (the “Settlement”) with Safetech Products LLC (“Safetech”) regarding the company’s sale of insecure Bluetooth-enabled wireless doors and padlocks. In a press release, Schneiderman indicated that this “marks the first time an attorneys general’s office has taken legal action against a wireless security company for failing to protect their [customers’] personal and private information.”
The Settlement stems from Safetech’s representations that its products would allow users the ability to protect personal belongings inside their homes by turning doors and closets into secure areas. In August 2016, however, a team of independent security researchers discovered that Safetech’s Bluetooth-enabled locks left consumers susceptible to hacking and theft because the locks failed to secure passwords and other security information required for operation. Specifically, the researchers found that Safetech’s locks transmitted passwords between the locks and users’ smartphones in plain text and without encryption, allowing potential perpetrators to intercept the passwords and open the locks. The researchers also discovered that the locks contained weak and insecure default passwords that could easily be solved or discovered through brute force attacks of automated software used to generate a large number of consecutive guesses.
The Settlement requires Safetech to encrypt all passwords, electronic keys or other security credentials in their locks and other Bluetooth-enabled devices, as well as prompt users to change the default password upon the users’ initial setup of wireless communication. The Settlement also requires Safetech to establish and implement a written comprehensive security program reasonably designed to (1) address security risks related to the development and management of new and existing devices that use security information, and (2) protect the privacy, security, confidentiality and integrity of security information, including:
- designating an employee or employees to coordinate and be accountable for the security program;
- identifying material internal and external risks to (1) the security of the devices that could result in unauthorized access to or unauthorized modification of the device and (2) the privacy, security, confidentiality and integrity of security information;
- designing and implementing reasonable safeguards to control the risks identified through the risk assessment;
- regularly testing or monitoring the effectiveness of the safeguards’ key controls, systems and procedures, including reasonable and appropriate security testing techniques such as vulnerability and penetration testing, security architecture reviews and code reviews;
- developing and using reasonable steps to select and retain service providers capable of maintaining security practices consistent with the Settlement, and contractually requiring service providers to implement and maintain appropriate safeguards consistent with the Settlement; and
- evaluating and adjusting Safetech’s security program in light of the results of the testing and monitoring required by the Settlement.