A computer hardware maker reached a deal with the Federal Trade Commission, settling charges that the defendant had security flaws in its router that put thousands of consumers' home networks at risk and that compromised connected storage devices by using insecure cloud services.
The flaws were present in ASUSTeK Computer, Inc., products despite advertisements touting the security features of the routers with claims that they could "protect computers from any unauthorized access, hacking, and virus attacks" and that they would "protect [the] local network against attacks from hackers."
In actuality, the company was aware of design flaws and bugs in the products, the agency alleged, and failed to take reasonable steps to secure its software. In one example, a malware researcher revealed a bug that allowed hackers to reconfigure vulnerable routers and commandeer consumers' Web traffic. ASUS also set the same default login credentials for every router (with "admin" as both username and password) and permitted users to retain the default credentials instead of requiring a change to increase security.
The cloud storage provided by ASUS similarly failed to pass muster. AiCloud and AiDisk services allowed consumers to plug a USB hard drive into the ASUS router to create their own cloud storage that was accessible from any device. But contrary to the company's claim that the services offered a "private personal cloud for selective file sharing" and a way to "safely secure and access your treasured data through your router," a vulnerability in the service permitted hackers to bypass the login screen and gain access to the storage device without any credentials, the FTC alleged.
Contributing to the insecurity, AiDisk did not encrypt files in transit and the default privacy settings for the service allowed public access to the device. These security flaws resulted in hackers gaining unauthorized access to almost 13,000 consumers connected storage devices in February 2014, the agency said, when ASUS router owners received the following message on their device: "This is an automated message being sent out to everyone affected [sic]. Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection."
Despite knowledge of the security weaknesses, ASUS neglected to fix the problems in a timely manner and failed to notify consumers about the risks or the availability of security updates. For more than one year a software update tool on the router often told consumers their router was up to date when new software—with critical security updates—was actually available.
The Taiwan-based company reached a deal with the FTC requiring ASUS to establish and maintain a comprehensive security program subject to independent audits for the next 20 years. The company must also notify consumers about updates or other means to protect themselves from security flaws and refrain from misleading consumers about the security of its products, including whether a product is using up-to-date software.
To read the complaint and proposed consent order in In the Matter of ASUSTeK Computer, Inc., click here.
Why it matters: "The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks," Jessica Rich, Director of the FTC's Bureau of Consumer Protection, said in a statement. "Routers play a key role in securing those home networks, so it's critical that companies like ASUS put reasonable security in place to protect consumers and their personal information." Comments on the proposed consent order in the case—which the agency noted is part of its "ongoing effort to ensure that companies secure the software and devices that they provide to consumers"—will be accepted until March 24.