In February 2014, thousands of ASUS router owners found a disturbing text file saved to their devices. “This is an automated message being sent out to everyone effected,” the message read. “Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection.” The anonymous sender then urged the readers to visit a site that explained more about the router vulnerability.
On Tuesday, the US Federal Trade Commission settle charges that alleged the hardware manufacturers failed to protect consumers as required by federal law. The settlement resolves a complaint that said the 2014 mass compromise was the result of vulnerabilities that allowed attackers to remotely log in to routers and, depending on user configurations, change security settings or access files stored on connected devices. Under the agreement, ASUS will maintain a comprehensive security program subject to independent audits for the next 20 years.
ASUS marketed is routers s including numerous security features that the company claimed could “protect computers from any unauthorized access, hacking, and virus attacks” and “protect the local network against attack from hackers.” Despite these claims, the FTC’s complaint still alleges that ASUS took no reasonable steps to secure the software on its routers.
According to the complaint, ASUS password protection was often too easy to bypass, either by supplying a vulnerable router with a special URL that was supposed to be accessed only after credentials or entered or by exploiting cross-site request forgery or cross-site scripting vulnerabilities. FTC attorneys also challenged password advice provided in ASUS manuals, which in one case suggested users secure files accessible on the router with the user name of “family” and an identical password.
ASUS’s routers also featured services called AiCloud and AiDisk that allowed consumers to plug a USB hard drive into the router to create their own “cloud” storage accessible from any of their devices. While ASUS advertised these services as a “private personal cloud for selective file sharing” and a way to “safely secure and access your treasured data through your router,” the FTC’s complaint alleges that the services had serious security flaws.
The Commission alleges that, in many instances, ASUS did not address security flaws in a timely manner and did not notify consumers about the risks posed by the vulnerable routers. In addition, the complaint alleges that ASUS did not even notify consumers about the availability of security updates. For example, according to the complaint, the router’s software update tool – which allowed consumers to check for new router software – often told consumers that their router was on the most current software when, in fact, newer software with critical security updates was available.
In addition to establishing a comprehensive security program, the consent order will require ASUS to notify consumers about software updates or other steps they can take to protect themselves from security flaws, including through an option to register for direct security notices (e.g., through email, text message, or push notification). The consent order will also prohibit the company from misleading consumers about the security of the company’s products, including whether a product is using up-to-date software.
The FTC complaint said ASUS failed to perform penetration tests on its products to test if they were vulnerable to common attacks on the Internet. It’s almost certainly the case that scores or even hundreds of ASUS competitors make the same omission. Tuesday’s settlement should serve as a wake-up call for all of them to secure their devices or face federal oversight for a few decades.