ASUS Settles FTC Complaint Charging its Routers had Serious Security Flaws

ASUS Settles FTC Complaint Charging its Routers had Serious Security Flaws
Image: Pixabay
February 23, 2016

Taiwan-based computer hardware maker ASUSTeK Computer, Inc. has agreed to settle Federal Trade Commission (FTC) charges that critical security flaws in its routers put the home networks of hundreds of thousands of consumers at risk. The administrative complaint also charges that the routers' insecure cloud services led to the compromise of thousands of consumers' connected storage devices, exposing their sensitive personal information on the internet.

The proposed consent order will require ASUS to establish and maintain a comprehensive security program subject to independent audits for the next 20 years.

ASUS marketed its routers as including numerous security features that the company claimed could protect computers from any unauthorized access, hacking, and virus attacks and protect the local network against attacks from hackers. Despite these claims, the FTC's complaint alleges that ASUS didn't take reasonable steps to secure the software on its routers.

For instance hackers could exploit pervasive security bugs in the router's web-based control panel to change any of the router's security settings without the consumer's knowledge. A malware researcher discovered an exploit campaign in April 2015 that abused these vulnerabilities to reconfigure vulnerable routers and commandeer consumers' web traffic. The complaint also highlights a number of other design flaws that exacerbated these vulnerabilities, including the fact that the company set – and allowed consumers to retain – the same default login credentials on every router: username "admin" and password "admin".

According to the complaint, ASUS's routers also featured services called AiCloud and AiDisk that allowed consumers to plug a USB hard drive into the router to create their own cloud storage accessible from any of their devices. While ASUS advertised these services as a private personal cloud for selective file sharing and a way to safely secure and access your treasured data through your router, the FTC's complaint alleges that the services had serious security flaws.

For example, the complaint alleges that hackers could exploit a vulnerability in the AiCloud service to bypass its login screen and gain complete access to a consumer's connected storage device without any credentials, simply by accessing a specific URL from a web browser. Similarly, the complaint alleges that the AiDisk service did not encrypt the consumer's files in transit, and its default privacy settings provided – without explanation – public access to the consumer's storage device to anyone on the Internet.

In February 2014, hackers used readily available tools to locate vulnerable ASUS routers and exploited these security flaws to gain unauthorized access to over 12,900 consumers' connected storage devices.

In many instances, ASUS did not address security flaws in a timely manner and did not notify consumers about the risks posed by the vulnerable routers. In addition, ASUS did not notify consumers about the availability of security updates. For example, the router's software update tool – which allowed consumers to check for new router software – often told consumers that their router was on the most current software when, in fact, newer software with critical security updates was available.

In addition to establishing a comprehensive security program, the consent order will require ASUS to notify consumers about software updates or other steps they can take to protect themselves from security flaws, including through an option to register for direct security notices (e.g., through email, text message, or push notification). The consent order will also prohibit the company from misleading consumers about the security of the company's products, including whether a product is using up-to-date software.

Get Connected with Consumer Connections

Stay up-to-date about issues that really matter! Get the Consumer Connections newsletter!

We're committed to providing you with information you need to make you a better, more informed consumer. Whether it's a vehicle recall, a product recall, or a new scam, we feature it in Consumer Connections.

So why not give it a try? Go on. All of your friends are doing it. It's completely free and comes just once a week.

You've finally filled out all the paperwork for a new or used car and drive it off the lot in triumph. Then, only a few hours (or days or weeks) later, the dealer calls you and tells you that you have to return the car because your financing didn't go through. What's going on? Is this legal? No.

According to the scam alert released by the Better Business Bureau (BBB), scammers are targeting unsuspecting consumers across the country by impersonating cable companies and taking advantage of subscribers' eagerness to save money on cable television services.

Do you know how to protect yourself against computer fraud? Most people think they can spot a scam, but scammers are getting better every day. It's now sometimes very difficult to know who is on the other end of the Internet and whether an email or website is truly legitimate.

We use our phones to do all kinds of things. But those who use USB charging stations may want to think twice before checking off the first two items on that list. Security researchers have discovered a way to hack into smartphones using USB stations and view and record everything that is displayed on the screen.