Asus Settles With FTC Over Security of Wireless Routers

The agreement, which includes 20 years of supervision of Asus security efforts, sends a message as more devices and systems become connected.

network security

U.S. regulators are putting the tech industry on notice that security in the age of the Internet of things needs to be a priority.

The Federal Trade Commission (FTC) has settled charges with Asus around complaints of critical security flaws in its wireless routers, issues that regulators said put hundreds of thousands of consumers at risk. Part of that settlement includes Asus agreeing to maintain a comprehensive security program that includes its wireless routers and associated firmware being independently audited every two years for the next 20 years.

At a time when billions of devices and systems—including home appliances and home security systems—are being connected to the Internet and increasing the attack surface for hackers, security needs to be a priority, including in the wireless routers that will be crucial for connecting these devices, according to Jessica Rich, director of the FTC's Bureau of Consumer Protection.

"The Internet of things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks," Rich said in a statement. "Routers play a key role in securing those home networks, so it's critical that companies like Asus put reasonable security in place to protect consumers and their personal information."

The number of connected devices worldwide is expected to skyrocket over the next several years, from home systems and connected cars to medical devices and industrial systems. Cisco Systems officials are predicting there will be more than 50 billion connected devices, systems and sensors, double the 25 billion in 2014.

Cyber-security experts have expressed concerns that device makers are spending more of their attention and money on features for their products and less on the security, opting instead to just bolt on security after the device has been built. Regulators are hoping that more of an emphasis is put on security.

The FTC found that part of Asus' marketing pitch for its routers was that they offered multiple security features that protected users' computers and networks from hacking, intrusion and virus attacks. However, the regulators found that the Taiwanese device maker didn't take the steps necessary to make the software on its routers secure.

The commission said in its complaint that there were pervasive security bugs in the router's Web-based control panel that could be exploited by hackers who wanted to change the device's security settings. A malware researcher in 2015 uncovered a campaign by hackers that took advantage of the vulnerabilities to reconfigure routers and take control of users' Web traffic. In addition, various design flaws in the router made these vulnerabilities worse, the regulators said.

Asus features connected to the routers—AiCloud and AiDisk—also had security flaws, the FTC found. AiCloud enables users to plug a USB hard drive into the router to create personal cloud storage that could be accessible from their devices, and AiDisk let users connect to the USB drives through File Transfer Protocol (FTP). These also were advertised as secure, and yet hackers were able to exploit a vulnerability in AiCloud to bypass its log-in screen and access the connected storage device without credentials through a specific URL, regulators said.

AiDisk did not encrypt consumer files that were in transit, while the default privacy setting offered public access to the storage device to anyone on the Internet. In 2014, hackers located vulnerable routers and exploited these flaws, gaining access to more than 12,900 connected storage devices, the FTC found.

Asus often did not address the security issues in a timely manner and failed to notify customers of the security flaws, the commission said. Along with the comprehensive security program and auditing mandate, the FTC's consent order also will require the device maker to notify customers of software updates or other steps that they can take to protect themselves, including an option to register for direct security notices through email, text message or push notification.

Regulators said the mandates on Asus are part of a larger effort by the FTC to push companies to ensure the software and devices they sell to consumers are secure.