Asus has settled charges leveled against it by the FTC. The agency accused the router maker of putting the home networks of "hundreds of thousands of consumers" at risk. The company has agreed to 20 years of supervision.

Michelle Maisto, Freelance Writer

February 24, 2016

3 Min Read
<p align="left">(Image: Asus)</p>

10 Stupid Moves That Threaten Your Company's Security

10 Stupid Moves That Threaten Your Company's Security


10 Stupid Moves That Threaten Your Company's Security (Click image for larger view and slideshow.)

Taiwan-based Asustek Computer, or Asus, will be subject to 20 years of independent security audits, as part of a settlement it has reached with US Federal Trade Commission (FTC).

Announced Feb. 23, the settlement addresses security vulnerabilities and negligent practices related to Asus routers and accompanying services. According to the FTC, critical security flaws in Asus routers put the home networks of "hundreds of thousands" of consumers at risk.

The 12-page consent agreement spells out everything Asus needs to do for the next 20 years, essentially creating straightforward security standards for the industry. But it also validates security concerns -- or highlights a need for them -- as the worlds of consumers, enterprises, and everything in between become increasingly connected.

"The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks," Jessica Rich, director of the FTC's Bureau of Consumer Protection, said in a Feb. 23 statement. "Routers play a key role in securing those home networks, so it's critical that companies like Asus put reasonable security in place to protect consumers and their personal information."

In an undated complaint filed against Asus, the FTC alleges, among other things:

  • An Asus design flaw allowed consumers to continue to use default login credentials -- username: admin, password: admin -- that was the same on all of its routers.

  • Asus didn't notify consumers about available security updates. Often, it told consumers that their router software was up to date, when a critical security update was available.

  • Asus offered services called AiCloud and AiDisk that allowed consumers to create their so-called own private cloud storage, available from any device, by plugging in a USB drive. But the services included "multiple vulnerabilities that would allow attackers to gain unauthorized access to consumers' files and router login credentials."

  • A password vulnerability in the AiCloud application made it possible for hackers to retrieve users' login credentials and modify router settings, leaving users vulnerable to cross-site request forgery (CSRF). Moreover, Asus didn't implement "well-known, low-cost measures to protect against them, such as anti-CSRF tokens … which allow a server to reject forged requests sent by attackers."

Asus has agreed to FTC measures that include:

  • creating and implementing a comprehensive security program

  • designating employees to be accountable for the program

  • identifying potential risks to the privacy, security, confidentiality and integrity of consumer information

  • designing and implementing reasonable safeguards to control against identified risks

  • regularly testing and monitoring of the effectiveness of said safeguards, and

  • using service providers also capable of implementing and maintaining appropriate safeguards.

The company will also undergo assessments of its progress -- by an independent, third-party professional, with FTC-mandated credentials -- first in a report on its first 180 days, and then every two years for the next 20 years.

[Read more about Apple and the FBI.]

The FTC has published the consent agreement package in the Federal Register, where for the next 30 days it's open for public comment. After March 24, the Commission will decide whether to make the proposed consent order final.

Once the FTC issues a consent order on a final basis, it added, each violation of the order "may result in a civil penalty of up to $16,000."

The public can submit comments through the FTC's website.

In a blog post, the FTC also urged consumers with Asus brand routers to take a number of steps right away, including downloading the latest security updates and changing any preset passwords.

What have you done to advance the cause of Women in IT? Submit your entry now for InformationWeek's Women in IT Award. Full details and a submission form can be found here.

About the Author(s)

Michelle Maisto

Michelle Maisto

Freelance Writer

Michelle Maisto is a writer, a reader, a plotter, a cook, and a thinker whose career has revolved around food and technology. She has been, among other things, the editor-in-chief of Mobile Enterprise Magazine, a reporter on consumer mobile products and wireless networks for eWEEK.com, and the head writer at a big data startup focused on data networks and shared data. She has contributed to Gourmet, Saveur, and Yahoo Food. Her memoir, The Gastronomy of Marriage, was published on three continents. She's currently learning Mandarin at an excruciating pace.

See more from Michelle Maisto
Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
SIGN-UP

You May Also Like

More Insights
Webinars
More Webinars
Reports
More Reports

Editor's Choice

NHL's Calgary Flames at New Jersey Devils on February 8, 2024 in Newark, NJ
IT Infrastructure
NHL, Presidio, and a Transformation Power Move with Hybrid CloudNHL, Presidio, and a Transformation Power Move with Hybrid Cloud
byJoao-Pierre S. Ruth
Apr 5, 2024
6 Min Read
Online Privacy Security Threat Abstract Background Art
Cyber Resilience
Cyber Risks When Job Hunters Become the HuntedCyber Risks When Job Hunters Become the Hunted
byCarrie Pallardy
Apr 9, 2024
9 Min Read
Business innovative solution and creative concept as a paper boat tied to a light bulb
IT Leadership
9 Ways to Ensure Continuous Innovation9 Ways to Ensure Continuous Innovation
byLisa Morgan
Apr 2, 2024
9 Slides
Hand charging an electric car, leaves and butterflies emerge from the cars exhaust, idea of sustainable transportation. Green energy, eco friendly
Sustainability
Sustainable Transportation Takes OffSustainable Transportation Takes Off
bySamuel Greengard
Mar 26, 2024
5 Min Read
Robotic hand takes a slice out of a coin, representing money
Machine Learning & AI
Special Report: What's Next for the GenAI Market in 2024?Special Report: What's Next for the GenAI Market in 2024
bySara Peters
Mar 12, 2024
3 Min Read
Webinars
More Webinars
White Papers
More White Papers
Live Events
More Live Events
Reports
More Reports
May 2, 2024
While there are plentiful options in cyber resiliency and business continuity tools and platforms, there isn’t one that can knock out everything from sudden cloud outages to prolonged ransomware attacks in a single punch. What can you do to keep the company on its feet no matter what is thrown at it? Find out in this new virtual event.
Reserve Your Seat Now