ASUS hit by FTC with 20-year audit for bungled router security
The FTC is sending a signal that it is taking the issue of home-router security seriously.
Taiwan-based computer maker AsusTek has agreed to be audited for the next 20 years to settle charges from the US Federal Trade Commission that its "failure to employ reasonable security practices has subjected consumers to substantial injury".
The security audits, to be conducted by an independent third party, are just one of several measures ASUS must accept for misrepresenting the security of its routers and cloud services, AiCloud and AiDisk.
The FTC announced the settlement on Tuesday, sending a signal to the industry that it is taking the issue of home-router security seriously, particularly as these pieces of hardware are the gateway to an increasing number of networked devices.
"The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks," FTC Bureau of Consumer Protection director Jessica Rich said.
"Routers play a key role in securing those home networks, so it's critical that companies like ASUS put reasonable security in place to protect consumers and their personal information."
The regulator noted that Asus claimed its routers had security features that could protect computers and local networks from hackers and virus attacks, yet failed to deliver patches in a timely fashion and didn't notify customers of the risks these flaws posed.
For example, the FTC accused ASUS of allowing users to retain default log credentials for the AiDisk FTP server of 'admin' for both username and password, as well as failing to inform consumers of methods to avoid unintentionally exposing sensitive personal information.
Hackers in 2014 were able identify thousands of vulnerable ASUS routers and, using flaws in AiCloud and AiDisk, accessed attached USB storage devices to save a text file that warned: "Your Asus router and your documents can be accessed by anyone in the world with an internet connection."
The hackers then published 12,937 IP addresses of vulnerable ASUS routers and login credentials for 3,131 AiCloud accounts.
Additionally, according to the complaint, an ASUS software update tool incorrectly told consumers their router was using the latest software, when in fact the software had been superseded by newer versions that contained critical security updates.
Asus has agreed to resolve these security failings through a comprehensive security program that covers product development and management, which also involves appointing employees to be accountable for it and identify risks to consumers from hackers.
Asus will need to have a third-party security professional audit it within the first three months of the order coming into effect and thereafter once every two years for the next two decades.
It also must not misrepresent the security of its routers, or the extent to which a device's software is up to date.
The settlement with ASUS follows a similar agreement the FTC reached with Oracle earlier this year over charges that Oracle told Java users their systems were secure after an update when in fact it still left older, insecure versions on users' machines.