Taiwan-based Asustek Computer, or Asus, will be subject to 20 years of independent security audits, as part of a settlement it has reached with US Federal Trade Commission (FTC).
Announced Feb. 23, the settlement addresses security vulnerabilities and negligent practices related to Asus routers and accompanying services. According to the FTC, critical security flaws in Asus routers put the home networks of "hundreds of thousands" of consumers at risk.
The 12-page consent agreement spells out everything Asus needs to do for the next 20 years, essentially creating straightforward security standards for the industry. But it also validates security concerns -- or highlights a need for them -- as the worlds of consumers, enterprises, and everything in between become increasingly connected.
"The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks," Jessica Rich, director of the FTC's Bureau of Consumer Protection, said in a Feb. 23 statement. "Routers play a key role in securing those home networks, so it's critical that companies like Asus put reasonable security in place to protect consumers and their personal information."
In an undated complaint filed against Asus, the FTC alleges, among other things:
- An Asus design flaw allowed consumers to continue to use default login credentials -- username: admin, password: admin -- that was the same on all of its routers.
- Asus didn't notify consumers about available security updates. Often, it told consumers that their router software was up to date, when a critical security update was available.
- Asus offered services called AiCloud and AiDisk that allowed consumers to create their so-called own private cloud storage, available from any device, by plugging in a USB drive. But the services included "multiple vulnerabilities that would allow attackers to gain unauthorized access to consumers' files and router login credentials."
- A password vulnerability in the AiCloud application made it possible for hackers to retrieve users' login credentials and modify router settings, leaving users vulnerable to cross-site request forgery (CSRF). Moreover, Asus didn't implement "well-known, low-cost measures to protect against them, such as anti-CSRF tokens … which allow a server to reject forged requests sent by attackers."
Asus has agreed to FTC measures that include:
- creating and implementing a comprehensive security program
- designating employees to be accountable for the program
- identifying potential risks to the privacy, security, confidentiality and integrity of consumer information
- designing and implementing reasonable safeguards to control against identified risks
- regularly testing and monitoring of the effectiveness of said safeguards, and
- using service providers also capable of implementing and maintaining appropriate safeguards.
The company will also undergo assessments of its progress -- by an independent, third-party professional, with FTC-mandated credentials -- first in a report on its first 180 days, and then every two years for the next 20 years.
[Read more about Apple and the FBI.]
The FTC has published the consent agreement package in the Federal Register, where for the next 30 days it's open for public comment. After March 24, the Commission will decide whether to make the proposed consent order final.
Once the FTC issues a consent order on a final basis, it added, each violation of the order "may result in a civil penalty of up to $16,000."
The public can submit comments through the FTC's website.
In a blog post, the FTC also urged consumers with Asus brand routers to take a number of steps right away, including downloading the latest security updates and changing any preset passwords.