Asus Settles FTC Charges, Agrees To 20 Years Of Supervision
Asus has settled charges leveled against it by the FTC. The agency accused the router maker of putting the home networks of "hundreds of thousands of consumers" at risk. The company has agreed to 20 years of supervision.
10 Stupid Moves That Threaten Your Company's Security
(Click image for larger view and slideshow.)
Taiwan-based Asustek Computer, or Asus, will be subject to 20 years of independent security audits, as part of a settlement it has reached with US Federal Trade Commission (FTC).
Announced Feb. 23, the settlement addresses security vulnerabilities and negligent practices related to Asus routers and accompanying services. According to the FTC, critical security flaws in Asus routers put the home networks of "hundreds of thousands" of consumers at risk.
The 12-page consent agreement spells out everything Asus needs to do for the next 20 years, essentially creating straightforward security standards for the industry. But it also validates security concerns -- or highlights a need for them -- as the worlds of consumers, enterprises, and everything in between become increasingly connected.
"The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks," Jessica Rich, director of the FTC's Bureau of Consumer Protection, said in a Feb. 23 statement. "Routers play a key role in securing those home networks, so it's critical that companies like Asus put reasonable security in place to protect consumers and their personal information."
In an undated complaint filed against Asus, the FTC alleges, among other things:
An Asus design flaw allowed consumers to continue to use default login credentials -- username: admin, password: admin -- that was the same on all of its routers.
Asus didn't notify consumers about available security updates. Often, it told consumers that their router software was up to date, when a critical security update was available.
Asus offered services called AiCloud and AiDisk that allowed consumers to create their so-called own private cloud storage, available from any device, by plugging in a USB drive. But the services included "multiple vulnerabilities that would allow attackers to gain unauthorized access to consumers' files and router login credentials."
A password vulnerability in the AiCloud application made it possible for hackers to retrieve users' login credentials and modify router settings, leaving users vulnerable to cross-site request forgery (CSRF). Moreover, Asus didn't implement "well-known, low-cost measures to protect against them, such as anti-CSRF tokens … which allow a server to reject forged requests sent by attackers."
Asus has agreed to FTC measures that include:
creating and implementing a comprehensive security program
designating employees to be accountable for the program
identifying potential risks to the privacy, security, confidentiality and integrity of consumer information
designing and implementing reasonable safeguards to control against identified risks
regularly testing and monitoring of the effectiveness of said safeguards, and
using service providers also capable of implementing and maintaining appropriate safeguards.
The company will also undergo assessments of its progress -- by an independent, third-party professional, with FTC-mandated credentials -- first in a report on its first 180 days, and then every two years for the next 20 years.
The FTC has published the consent agreement package in the Federal Register, where for the next 30 days it's open for public comment. After March 24, the Commission will decide whether to make the proposed consent order final.
Once the FTC issues a consent order on a final basis, it added, each violation of the order "may result in a civil penalty of up to $16,000."
In a blog post, the FTC also urged consumers with Asus brand routers to take a number of steps right away, including downloading the latest security updates and changing any preset passwords.
What have you done to advance the cause of Women in IT? Submit your entry now for InformationWeek's Women in IT Award. Full details and a submission form can be found here.
Michelle Maisto is a writer, a reader, a plotter, a cook, and a thinker whose career has revolved around food and technology. She has been, among other things, the editor-in-chief of Mobile Enterprise Magazine, a reporter on consumer mobile products and wireless networks for ... View Full Bio
Security Job #1 For FedsThe 2014 InformationWeek Government IT Priorities Survey shows federal IT pros care about security - itís rated as very important by 69% of respondents, 30 percentage points ahead of the No. 2 priority, disaster recovery. Will the upcoming NIST cyber-security framework help manage risk?
Top IT Trends to Watch in Financial ServicesIT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Join us for a roundup of the top stories on InformationWeek.com for the week of October 9, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."