FTC Dings ASUS For Selling 'Secure' Routers That Shipped With Default Admin/Admin Login (And Other Flaws)

from the wherein-a-personal-'AiCloud'-is-really-'Anyone'sCloud' dept

The FTC has stepped up to smack ASUS down for selling "secure" routers that were about as impregnable as a child's couch fort.

[A]ccording to the complaint, hackers could exploit pervasive security bugs in the router’s web-based control panel to change any of the router’s security settings without the consumer’s knowledge. A malware researcher discovered an exploit campaign in April 2015 that abused these vulnerabilities to reconfigure vulnerable routers and commandeer consumers’ web traffic.
That's not all. ASUS's security "best practices" apparently included credentials pulled from annual "Worst Passwords" lists.
The complaint also highlights a number of other design flaws that exacerbated these vulnerabilities, including the fact that the company set – and allowed consumers to retain – the same default login credentials on every router: username “admin” and password “admin”.
This, unfortunately, isn't just an ASUS problem. Far too many devices, whether marketed to home users or professionals, ship with terrible default credentials and very few of them demand the end user alter the login before putting the product to use.

As for ASUS, the list of insecurities goes on and on.
According to the complaint, ASUS’s routers also featured services called AiCloud and AiDisk that allowed consumers to plug a USB hard drive into the router to create their own “cloud” storage accessible from any of their devices. While ASUS advertised these services as a “private personal cloud for selective file sharing” and a way to “safely secure and access your treasured data through your router,” the FTC’s complaint alleges that the services had serious security flaws.

For example, the complaint alleges that hackers could exploit a vulnerability in the AiCloud service to bypass its login screen and gain complete access to a consumer’s connected storage device without any credentials, simply by accessing a specific URL from a Web browser. Similarly, the complaint alleges that the AiDisk service did not encrypt the consumer’s files in transit, and its default privacy settings provided – without explanation – public access to the consumer’s storage device to anyone on the Internet.
ASUS's insecure products are no different than countless others offered by competitors. Far too many companies view end user security as something that can always be patched into existence after the first big breach. Why the FTC has chosen to hang ASUS rather than any number of other misbehaving tech manufacturers isn't clear, but it could be this is just the first in a wave of settlements.

The FTC isn't just unhappy about ASUS's bogus security claims. It's also unhappy with the company's response time. The complaint notes ASUS failed to act quickly in response to reported security holes.
In June 2013, a security researcher publicly disclosed that, based on his research, more than 15,000 ASUS routers allowed for unauthenticated access to AiDisk FTP servers over the internet. In his public disclosure, the security researcher claimed that he had previously contacted respondent about this and other security issues. In November 2013, the security researcher again contacted respondent, warning that, based on his research, 25,000 ASUS routers now allowed for unauthenticated access to AiDisk FTP servers. The researcher suggested that respondent warn consumers about this risk during the AiDisk set up process. However, ASUS took no action at the time.


It was not until February 2014 – following the events described in Paragraph 32 [the posting of text files to unsecured end user USB devices by the hackers who discovered the flaw] – that respondent sent an email to registered customers notifying them that firmware updates addressing these security risks and other security vulnerabilities were available. Furthermore, it was not until February 21, 2014 that ASUS released a firmware update that would provide some protection to consumers who had previously set up AiDisk. This firmware update forced consumers’ routers to turn off unauthenticated access to the AiDisk FTP server.
Because of this, ASUS is going to spend the next two decades maintaining a "comprehensive security program" subject to independent audits. An FTC official's statement suggests the agency's settlement with ASUS carries symbolic weight as well -- the mounting of ASUStek's head on a pike as a warning to the ever-expanding Internet of Easily-Compromised Things.
“The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.”
Hopefully, ASUS will build better, safer products in the future because of this. But considering this settlement comes two years after ASUS's eight-month delayed reaction to notifications it received in June of 2013, users are still better off taking security in their own hands, rather than waiting for companies or regulatory agencies to intercede on their behalf.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: admin, ftc, security
Companies: asus

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    WDS (profile), 23 Feb 2016 @ 2:24pm

    Re: Personal Responsibility

    "not turn of" should be "not turning off". Why do I not see these errors until the moment I press the submit button.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.