ASUS on Tuesday settled FTC charges that flaws in the electronics manufacturer’s wireless routers put consumers’ networks and data at risk. Two lessons from the settlement are obvious, but bear repeating:
First, there’s no excuse for failing to grab low-hanging fruit. The FTC’s key allegations were that ASUS’s routers suffered from well-known and easy-to-fix security flaws:
- The router’s default username/password combination was “admin”/“admin”, which sits alongside “username”/“password123” in the Easy-to-Crack-Credentials Hall of Fame. These defaults would be fine if the routers forced users to choose secure credentials when they set up their routers. But the routers didn’t, which meant that unsophisticated home users usually were stuck with “admin”/“admin”.
- Similarly, if consumers put files on the ASUS routers, those files were left unsecured by default. Users had to actively deviate from the default to lock their files, and many consumers didn’t.
- The FTC also contended that a third-party could bypass credentials entirely by pointing any web browser to a specific URL.
These are rookie mistakes, and the FTC will hold companies accountable for them.
Second, computer companies can’t keep acting like they have no responsibility for products after they ship. The FTC was upset with ASUS’s security flaws themselves, but it was equally upset that ASUS’s security updates often didn’t make their way onto consumers’ routers. Sometimes the routers would even report that their software was up-to-date when it wasn’t. Recall that the FTC recently slammed Oracle for a similar software-update problems with Java (which I discussed in January). The cybersecurity takeaway is that reliable security updates are critical.