FTC Dings ASUS For Selling 'Secure' Routers That Shipped With Default Admin/Admin Login (And Other Flaws)

from the wherein-a-personal-'AiCloud'-is-really-'Anyone'sCloud' dept

The FTC has stepped up to smack ASUS down for selling “secure” routers that were about as impregnable as a child’s couch fort.

[A]ccording to the complaint, hackers could exploit pervasive security bugs in the router’s web-based control panel to change any of the router’s security settings without the consumer’s knowledge. A malware researcher discovered an exploit campaign in April 2015 that abused these vulnerabilities to reconfigure vulnerable routers and commandeer consumers’ web traffic.

That’s not all. ASUS’s security “best practices” apparently included credentials pulled from annual “Worst Passwords” lists.

The complaint also highlights a number of other design flaws that exacerbated these vulnerabilities, including the fact that the company set – and allowed consumers to retain – the same default login credentials on every router: username “admin” and password “admin”.

This, unfortunately, isn’t just an ASUS problem. Far too many devices, whether marketed to home users or professionals, ship with terrible default credentials and very few of them demand the end user alter the login before putting the product to use.

As for ASUS, the list of insecurities goes on and on.

According to the complaint, ASUS’s routers also featured services called AiCloud and AiDisk that allowed consumers to plug a USB hard drive into the router to create their own “cloud” storage accessible from any of their devices. While ASUS advertised these services as a “private personal cloud for selective file sharing” and a way to “safely secure and access your treasured data through your router,” the FTC’s complaint alleges that the services had serious security flaws.

For example, the complaint alleges that hackers could exploit a vulnerability in the AiCloud service to bypass its login screen and gain complete access to a consumer’s connected storage device without any credentials, simply by accessing a specific URL from a Web browser. Similarly, the complaint alleges that the AiDisk service did not encrypt the consumer’s files in transit, and its default privacy settings provided – without explanation – public access to the consumer’s storage device to anyone on the Internet.

ASUS’s insecure products are no different than countless others offered by competitors. Far too many companies view end user security as something that can always be patched into existence after the first big breach. Why the FTC has chosen to hang ASUS rather than any number of other misbehaving tech manufacturers isn’t clear, but it could be this is just the first in a wave of settlements.

The FTC isn’t just unhappy about ASUS’s bogus security claims. It’s also unhappy with the company’s response time. The complaint notes ASUS failed to act quickly in response to reported security holes.

In June 2013, a security researcher publicly disclosed that, based on his research, more than 15,000 ASUS routers allowed for unauthenticated access to AiDisk FTP servers over the internet. In his public disclosure, the security researcher claimed that he had previously contacted respondent about this and other security issues. In November 2013, the security researcher again contacted respondent, warning that, based on his research, 25,000 ASUS routers now allowed for unauthenticated access to AiDisk FTP servers. The researcher suggested that respondent warn consumers about this risk during the AiDisk set up process. However, ASUS took no action at the time.

[…]

It was not until February 2014 – following the events described in Paragraph 32 [the posting of text files to unsecured end user USB devices by the hackers who discovered the flaw] – that respondent sent an email to registered customers notifying them that firmware updates addressing these security risks and other security vulnerabilities were available. Furthermore, it was not until February 21, 2014 that ASUS released a firmware update that would provide some protection to consumers who had previously set up AiDisk. This firmware update forced consumers’ routers to turn off unauthenticated access to the AiDisk FTP server.

Because of this, ASUS is going to spend the next two decades maintaining a “comprehensive security program” subject to independent audits. An FTC official’s statement suggests the agency’s settlement with ASUS carries symbolic weight as well — the mounting of ASUStek’s head on a pike as a warning to the ever-expanding Internet of Easily-Compromised Things.

“The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.”

Hopefully, ASUS will build better, safer products in the future because of this. But considering this settlement comes two years after ASUS’s eight-month delayed reaction to notifications it received in June of 2013, users are still better off taking security in their own hands, rather than waiting for companies or regulatory agencies to intercede on their behalf.

Filed Under: , ,
Companies: asus

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “FTC Dings ASUS For Selling 'Secure' Routers That Shipped With Default Admin/Admin Login (And Other Flaws)”

Subscribe: RSS Leave a comment
28 Comments
WDS (profile) says:

Personal Responsibility

I just got a new commercial firewall for work from a respected security company that had the admin admin defaults. The other problems that ASUS routers have, I blame on them, but the leaving the admin password at the default is a user problem, as is not turn of the management access on the WAN link.

While the new firewall does not make you change the default password, it does nag you until you do.

Anonymous Coward says:

Re: Re: Personal Responsibility

Why do I not see these errors until the moment I press the submit button.

It’s because after you edit your words carefully, and hit preview, and edit some more, and preview again—you’re just too damn impatient to get up from your chair, and walk away for a minute.

You could get up for another cup of coffee, re-read your words one last time, and then hit submit. But that would slow the conversation down.

Capitalist Lion Tamer (profile) says:

Re: Personal Responsibility

I agree it’s a user problem. But I think companies who claim to care about security should at least push users towards changing the default login before the device can be put to use, if not prevent its operation until the default has been changed.

I understand why they might not want to implement this, as future breaches would be almost solely their responsibility, rather than the end user’s.

JoeCool (profile) says:

Re: Re: Personal Responsibility

The problem is that people LIKE simple passwords. ADMIN/ADMIN is exactly the kind of password many companies/agencies like (e.g., the DOD’s username/password for decades of DOD/DOD).

I’d bet you real money that if they made the username/password something like &^%^JBSFJBIREUYT(&R#YT&R#YT$AY/()&FDJNFKJDBFIT$#^&T#^T%*, people would change it the very first instant they can! … unfortunately to something like ADMIN/ADMIN. 😉 😀

Chronno S. Trigger (profile) says:

Re: Re:

They don’t even do that any more. The first thing DD-WRT does is make you set the username and password. They even go one step further and hide the username.

Still the only router software that I’ve ever seen that requires setting the password. All others, professional or residential, have default passwords that can be found by a simple Google search.

Anonymous Anonymous Coward says:

Responsible Rounter Configuration

If router manufacturers were going to be completely responsible, they would ship their routers with the firewalls set to deny everything. Then when the typical end user tries to connect to anything, it won’t go through. Those companies rating will tank, their returns would skyrocket and everyone will blame it on them, but they just did the secure thing.

Even if they leave Port 80 open so that people could at least connect to the Internet and try to look up a solution, the complaints will fall around my email doesn’t work, my game doesn’t connect, your router sux big time, where are my instant messages?, etc.

No amount of instruction will help the average user. Just finding out what ports to open and when is beyond the average user. Then try to get them to understand UDP vs TCP and whether in or out for either is correct, which depends upon the application. Maybe a script could be written that asks sensible questions and does the right thing, but I have yet to see it. Windows firewall had something like that, but it opened things without my permission and against my will as well, so that doesn’t answer.

My ISP provided router has a firewall, and it has about 50 settings for games from the last decade or so set to open, when I don’t have any of those games. So I have to go through and close them all, and in that process I run into things I have never heard of, and I have been building my own computers since the early 90’s and have a higher than average capability (I am NOT however claiming to actually be a competent tech, just an experienced user).

Computer security needs to be better. We should have started with the OS’s, but we didn’t. We should have included the Internet, but we didn’t. We should have standards that manufacturers should follow, but they are suggestions not requirements. There should be a way for the less than average user to get their machine configured for the things they want to do, but we are too busy building the latest and greatest to make the existing more readily usable.

There is no cost effectiveness in making the existing better. The cost effectiveness is in selling users more stuff.

Anonymous Coward says:

Re: Responsible Rounter Configuration

“Even if they leave Port 80 open”

Solicited traffic can go through the firewall on all ports. and users don’t access the Internet through their port 80, more like a random port (that’s higher). Port 80 is accessed through the web server’s port 80. Someone setting up a webserver would have to do a port forward but that’s already the case and if you are setting up a web server you should know how to do that.

John Fenderson (profile) says:

Re: Re: Responsible Rounter Configuration

“Solicited traffic can go through the firewall on all ports.”

This is another problem. Firewall configurations tend to assume that any traffic coming from inside the firewall is trustworthy — and it’s not. Automatically allowing solicited traffic through is a security problem.

In my home LAN, this is not automatically true. All traffic is blocked, solicited or otherwise, unless I specifically tell the firewall it’s permitted.

Anonymous Coward says:

Re: Re: Re: Responsible Rounter Configuration

and, really, if you have malware/trojans/viruses/infections on your personal computer or home network or untrusted traffic coming from your own computer or home network then you have bigger issues.

Someone tech savvy and conscientious enough to go through the hassle of doing what you do is probably not someone that has malware on their home network so they probably have little reason to do all that mess regardless.

The person that does have have malware on their PC or home network isn’t going to be the type of person that will be able to manage their firewall the way you do.

Victor David says:

Huawei Router

When I switched providers recently, I received an Huawei HG8245H. It has 2 admin users, both with well-known default credentials. One of the users cannot be changed. The really bad part though is that, by default, the router lets you access its administrative functions from the internet side. I didn’t know that at first and within a day or two, I discovered various logins from the other side of the planet. I reset the device (b/c I didn’t know what might have been changed) and then turned off this “feature”, but my god what negligence on the part of Huawei. Most customers aren’t going to ever check anything and meanwhile, all the bad actors know that this model (which is widely deployed on my ISP) is entirely accessible.

That Anonymous Coward (profile) says:

The lowest common idiot...

Is it easier to have the login password default admin/admin or to pay to have someone walk a technophobic customer through resetting the machine & then trying to puzzle out the configuration they can’t remember?
We printed it in a manual that they should change it, it is no longer our fault.

More time is spent offering a better mousetrap than making sure the mounsetrap can’t break the owners fingers. It is a race to add more bells & blinkie lights, rather than a well designed secure box. Far to many end users assume these magic boxes have been vetted & are secure. Blissfully ignorant that they have some responsibilities to keep them secure also.

Buzzwords sell, not security. There are only a few researchers looking, we can be onto the next generation before they even think about testing our thing to see if its broken.
Look at the list of things they have shown are broken…. now count how many of them resulted in anything other than a little bad PR.
The FTC doing something is uncommon and even when they do I’m sure in 3 months we’ll be talking about the next stupid company who did these exact same things… and how very little will happen to them.

Perhaps it is time to stop buying the router that also is a toaster & disco ball and ask for the one that had an independent review of its security.

Mason Wheeler (profile) says:

The complaint also highlights a number of other design flaws that exacerbated these vulnerabilities, including the fact that the company set – and allowed consumers to retain – the same default login credentials on every router: username “admin” and password “admin”.

This is one of the things I like about WordPress. It actually allows me to set my login name to something different from the name displayed as the author of the posts I write. I run WordFence (a security plugin) and it gives me periodic reports on failed login attempts. People try stuff like “admin” and my author name all the time, but never once have I seen an attempt to log in with my actual login name.

Michael (profile) says:

this wont change anything

I doubt that the FTC action will change anything.

For example, Eero just released new routers and they are being written up on many tech sites. Not one of these reviews will say anything about the security of the devices. They may mention the self-updating firmware in passing, but thats it. All any tech site cares about when it comes to routers is WiFi speed and range.

Anyone interested can read up on router security at my http://www.RouterSecurity.org site. Its not finished…

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...