FTC Dings ASUS For Selling 'Secure' Routers That Shipped With Default Admin/Admin Login (And Other Flaws)

(Mis)Uses of Technology

from the wherein-a-personal-'AiCloud'-is-really-'Anyone'sCloud' dept

The FTC has stepped up to smack ASUS down for selling “secure” routers that were about as impregnable as a child’s couch fort.

[A]ccording to the complaint, hackers could exploit pervasive security bugs in the router’s web-based control panel to change any of the router’s security settings without the consumer’s knowledge. A malware researcher discovered an exploit campaign in April 2015 that abused these vulnerabilities to reconfigure vulnerable routers and commandeer consumers’ web traffic.

That’s not all. ASUS’s security “best practices” apparently included credentials pulled from annual “Worst Passwords” lists.

The complaint also highlights a number of other design flaws that exacerbated these vulnerabilities, including the fact that the company set – and allowed consumers to retain – the same default login credentials on every router: username “admin” and password “admin”.

This, unfortunately, isn’t just an ASUS problem. Far too many devices, whether marketed to home users or professionals, ship with terrible default credentials and very few of them demand the end user alter the login before putting the product to use.

As for ASUS, the list of insecurities goes on and on.

According to the complaint, ASUS’s routers also featured services called AiCloud and AiDisk that allowed consumers to plug a USB hard drive into the router to create their own “cloud” storage accessible from any of their devices. While ASUS advertised these services as a “private personal cloud for selective file sharing” and a way to “safely secure and access your treasured data through your router,” the FTC’s complaint alleges that the services had serious security flaws.

For example, the complaint alleges that hackers could exploit a vulnerability in the AiCloud service to bypass its login screen and gain complete access to a consumer’s connected storage device without any credentials, simply by accessing a specific URL from a Web browser. Similarly, the complaint alleges that the AiDisk service did not encrypt the consumer’s files in transit, and its default privacy settings provided – without explanation – public access to the consumer’s storage device to anyone on the Internet.

ASUS’s insecure products are no different than countless others offered by competitors. Far too many companies view end user security as something that can always be patched into existence after the first big breach. Why the FTC has chosen to hang ASUS rather than any number of other misbehaving tech manufacturers isn’t clear, but it could be this is just the first in a wave of settlements.

The FTC isn’t just unhappy about ASUS’s bogus security claims. It’s also unhappy with the company’s response time. The complaint notes ASUS failed to act quickly in response to reported security holes.

In June 2013, a security researcher publicly disclosed that, based on his research, more than 15,000 ASUS routers allowed for unauthenticated access to AiDisk FTP servers over the internet. In his public disclosure, the security researcher claimed that he had previously contacted respondent about this and other security issues. In November 2013, the security researcher again contacted respondent, warning that, based on his research, 25,000 ASUS routers now allowed for unauthenticated access to AiDisk FTP servers. The researcher suggested that respondent warn consumers about this risk during the AiDisk set up process. However, ASUS took no action at the time.

[…]

It was not until February 2014 – following the events described in Paragraph 32 [the posting of text files to unsecured end user USB devices by the hackers who discovered the flaw] – that respondent sent an email to registered customers notifying them that firmware updates addressing these security risks and other security vulnerabilities were available. Furthermore, it was not until February 21, 2014 that ASUS released a firmware update that would provide some protection to consumers who had previously set up AiDisk. This firmware update forced consumers’ routers to turn off unauthenticated access to the AiDisk FTP server.

Because of this, ASUS is going to spend the next two decades maintaining a “comprehensive security program” subject to independent audits. An FTC official’s statement suggests the agency’s settlement with ASUS carries symbolic weight as well — the mounting of ASUStek’s head on a pike as a warning to the ever-expanding Internet of Easily-Compromised Things.

“The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.”

Hopefully, ASUS will build better, safer products in the future because of this. But considering this settlement comes two years after ASUS’s eight-month delayed reaction to notifications it received in June of 2013, users are still better off taking security in their own hands, rather than waiting for companies or regulatory agencies to intercede on their behalf.

Filed Under: admin, ftc, security
Companies: asus