Government // Cybersecurity
12:05 PM

Asus Settles FTC Charges, Agrees To 20 Years Of Supervision

Asus has settled charges leveled against it by the FTC. The agency accused the router maker of putting the home networks of "hundreds of thousands of consumers" at risk. The company has agreed to 20 years of supervision.

10 Stupid Moves That Threaten Your Company's Security
10 Stupid Moves That Threaten Your Company's Security
(Click image for larger view and slideshow.)

Taiwan-based Asustek Computer, or Asus, will be subject to 20 years of independent security audits, as part of a settlement it has reached with US Federal Trade Commission (FTC).

Announced Feb. 23, the settlement addresses security vulnerabilities and negligent practices related to Asus routers and accompanying services. According to the FTC, critical security flaws in Asus routers put the home networks of "hundreds of thousands" of consumers at risk.

The 12-page consent agreement spells out everything Asus needs to do for the next 20 years, essentially creating straightforward security standards for the industry. But it also validates security concerns -- or highlights a need for them -- as the worlds of consumers, enterprises, and everything in between become increasingly connected.

(Image: Asus)

(Image: Asus)

"The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks," Jessica Rich, director of the FTC's Bureau of Consumer Protection, said in a Feb. 23 statement. "Routers play a key role in securing those home networks, so it's critical that companies like Asus put reasonable security in place to protect consumers and their personal information."

In an undated complaint filed against Asus, the FTC alleges, among other things:

  • An Asus design flaw allowed consumers to continue to use default login credentials -- username: admin, password: admin -- that was the same on all of its routers.
  • Asus didn't notify consumers about available security updates. Often, it told consumers that their router software was up to date, when a critical security update was available.
  • Asus offered services called AiCloud and AiDisk that allowed consumers to create their so-called own private cloud storage, available from any device, by plugging in a USB drive. But the services included "multiple vulnerabilities that would allow attackers to gain unauthorized access to consumers' files and router login credentials."
  • A password vulnerability in the AiCloud application made it possible for hackers to retrieve users' login credentials and modify router settings, leaving users vulnerable to cross-site request forgery (CSRF). Moreover, Asus didn't implement "well-known, low-cost measures to protect against them, such as anti-CSRF tokens … which allow a server to reject forged requests sent by attackers."

Asus has agreed to FTC measures that include:

  • creating and implementing a comprehensive security program
  • designating employees to be accountable for the program
  • identifying potential risks to the privacy, security, confidentiality and integrity of consumer information
  • designing and implementing reasonable safeguards to control against identified risks
  • regularly testing and monitoring of the effectiveness of said safeguards, and
  • using service providers also capable of implementing and maintaining appropriate safeguards.

The company will also undergo assessments of its progress -- by an independent, third-party professional, with FTC-mandated credentials -- first in a report on its first 180 days, and then every two years for the next 20 years.

[Read more about Apple and the FBI.]

The FTC has published the consent agreement package in the Federal Register, where for the next 30 days it's open for public comment. After March 24, the Commission will decide whether to make the proposed consent order final.

Once the FTC issues a consent order on a final basis, it added, each violation of the order "may result in a civil penalty of up to $16,000."

The public can submit comments through the FTC's website.

In a blog post, the FTC also urged consumers with Asus brand routers to take a number of steps right away, including downloading the latest security updates and changing any preset passwords.

What have you done to advance the cause of Women in IT? Submit your entry now for InformationWeek's Women in IT Award. Full details and a submission form can be found here.

Michelle Maisto is a writer, a reader, a plotter, a cook, and a thinker whose career has revolved around food and technology. She has been, among other things, the editor-in-chief of Mobile Enterprise Magazine, a reporter on consumer mobile products and wireless networks for ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
2/25/2016 | 1:53:55 AM
It's been a while since I bought a wireless router, but I thought most of them have admin/password or variants of it as default login credentials. I wonder if the FTC would go against them as well. In any case, this is good news for consumers.
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of October 9, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll