On February 23rd, the U.S. Federal Trade Commission settled with Taiwan-based ASUSTeK Computer, Inc. over the marketing of its routers which put hundreds of thousands of consumer’s home networks at risk. The complaint included charges the ASUS routers featured insecure “cloud” services which led to the compromise of thousands of connected storage devices and exposed their sensitive personal information over the internet.
As part of the consent order, ASUS will be slapped with the requirement of establishing and maintaining a robust security program which will be subject to independent audits for the next 20 years. Ouch!
The problem was that ASUS marketed and sold it’s router with the claims the router’s many security features could protect computers and networks from unauthorized access by hackers or virus attacks. The FTC challenged those claims, alleging ASUS did not take reasonable measures to make the firmware on its routers as secure as ASUS had claimed it was. In other words, they lied.
The FTC claimed hackers could easily exploit security vulnerabilities in the router’s browser-based configuration panel, such as changing the router’s security settings without the consumer’s knowledge. In April of 2015, a malware researcher demonstrated an exploit in which he could reconfigure the router’s settings and redirect the user’s Web traffic. Among other vulnerabilities was the fact that, by default, the word “admin” was used for both the username and password, the consumer was not required to change it.
The complaint against ASUS also argued that the company did not protect the consumer’s use of the cloud storage feature called AiCloud and AiDisk, allowing a hacker to bypass the login screen and gain complete access to connected storage devices without any credentials at all. Nor did the ASUS router encrypt files in transit, allowing public access to the consumer’s storage device to anyone on the internet.
The FTC alleges that ASUS did not move to correct these security issues in a timely manner, nor did they alert customers to the risks they were exposed to, due to the many security flaws. In addition to independent audits every 2 years, ASUS will be required to notify consumers about firmware updates or other available measures to protect themselves from the security flaws of the ASUS routers. They must also agree to stop misleading consumers about the security of the company’s products.
The settlement is subject to public comment from now through March 24th. Then, based on those comments, the Commission will decide whether or not to make the consent order final. You can submit your own comments electronically and read more about the Commission’s settlement with ASUS at the FTC.gov Web site.
Time will tell whether or not this embarrassing episode will tarnish ASUS’s image over all, and the general perception of people like myself that ASUS routers were something special.
Chalk one up for the American consumer. Let’s all hope that other manufacturers of similar products take notice of this FTC action against ASUS and endeavor to make our routers not only as secure as possible but also as secure as they claim.