• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

ASUS Settles FTC Charges Involving Insecure Routers and "Cloud" Services

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
47,233 (7.55/day)
Location
Hyderabad, India
System Name RBMK-1000
Processor AMD Ryzen 7 5700G
Motherboard ASUS ROG Strix B450-E Gaming
Cooling DeepCool Gammax L240 V2
Memory 2x 8GB G.Skill Sniper X
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) ASUS SupremeFX S1220A
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Gamdias Hermes E2
Software Windows 11 Pro
The FTC posted this press release today: Taiwan-based computer hardware maker ASUSTeK Computer, Inc. has agreed to settle Federal Trade Commission charges that critical security flaws in its routers put the home networks of hundreds of thousands of consumers at risk. The administrative complaint also charges that the routers' insecure "cloud" services led to the compromise of thousands of consumers' connected storage devices, exposing their sensitive personal information on the internet. The proposed consent order will require ASUS to establish and maintain a comprehensive security program subject to independent audits for the next 20 years.

"The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks," said Jessica Rich, Director of the FTC's Bureau of Consumer Protection. "Routers play a key role in securing those home networks, so it's critical that companies like ASUS put reasonable security in place to protect consumers and their personal information."

ASUS marketed its routers as including numerous security features that the company claimed could "protect computers from any unauthorized access, hacking, and virus attacks" and "protect [the] local network against attacks from hackers." Despite these claims, the FTC's complaint alleges that ASUS didn't take reasonable steps to secure the software on its routers.

For instance, according to the complaint, hackers could exploit pervasive security bugs in the router's web-based control panel to change any of the router's security settings without the consumer's knowledge. A malware researcher discovered an exploit campaign in April 2015 that abused these vulnerabilities to reconfigure vulnerable routers and commandeer consumers' web traffic. The complaint also highlights a number of other design flaws that exacerbated these vulnerabilities, including the fact that the company set - and allowed consumers to retain - the same default login credentials on every router: username "admin" and password "admin".

According to the complaint, ASUS's routers also featured services called AiCloud and AiDisk that allowed consumers to plug a USB hard drive into the router to create their own "cloud" storage accessible from any of their devices. While ASUS advertised these services as a "private personal cloud for selective file sharing" and a way to "safely secure and access your treasured data through your router," the FTC's complaint alleges that the services had serious security flaws.

For example, the complaint alleges that hackers could exploit a vulnerability in the AiCloud service to bypass its login screen and gain complete access to a consumer's connected storage device without any credentials, simply by accessing a specific URL from a Web browser. Similarly, the complaint alleges that the AiDisk service did not encrypt the consumer's files in transit, and its default privacy settings provided - without explanation - public access to the consumer's storage device to anyone on the Internet.

In February 2014, hackers used readily available tools to locate vulnerable ASUS routers and exploited these security flaws to gain unauthorized access to over 12,900 consumers' connected storage devices.

The Commission alleges that, in many instances, ASUS did not address security flaws in a timely manner and did not notify consumers about the risks posed by the vulnerable routers. In addition, the complaint alleges that ASUS did not notify consumers about the availability of security updates. For example, according to the complaint, the router's software update tool - which allowed consumers to check for new router software - often told consumers that their router was on the most current software when, in fact, newer software with critical security updates was available.

In addition to establishing a comprehensive security program, the consent order will require ASUS to notify consumers about software updates or other steps they can take to protect themselves from security flaws, including through an option to register for direct security notices (e.g., through email, text message, or push notification). The consent order will also prohibit the company from misleading consumers about the security of the company's products, including whether a product is using up-to-date software.

This matter is part of the FTC's ongoing effort to ensure that companies secure the software and devices that they provide to consumers.

The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through March 24, 2016, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit comments electronically.

NOTE: The Commission issues an administrative complaint when it has "reason to believe" that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.

View at TechPowerUp Main Site
 
Last edited by a moderator:
Joined
Nov 4, 2005
Messages
11,980 (1.72/day)
System Name Compy 386
Processor 7800X3D
Motherboard Asus
Cooling Air for now.....
Memory 64 GB DDR5 6400Mhz
Video Card(s) 7900XTX 310 Merc
Storage Samsung 990 2TB, 2 SP 2TB SSDs, 24TB Enterprise drives
Display(s) 55" Samsung 4K HDR
Audio Device(s) ATI HDMI
Mouse Logitech MX518
Keyboard Razer
Software A lot.
Benchmark Scores Its fast. Enough.
There is no cloud, its just some else's computer.
 
Joined
May 13, 2010
Messages
6,065 (1.14/day)
System Name RemixedBeast-NX
Processor Intel Xeon E5-2690 @ 2.9Ghz (8C/16T)
Motherboard Dell Inc. 08HPGT (CPU 1)
Cooling Dell Standard
Memory 24GB ECC
Video Card(s) Gigabyte Nvidia RTX2060 6GB
Storage 2TB Samsung 860 EVO SSD//2TB WD Black HDD
Display(s) Samsung SyncMaster P2350 23in @ 1920x1080 + Dell E2013H 20 in @1600x900
Case Dell Precision T3600 Chassis
Audio Device(s) Beyerdynamic DT770 Pro 80 // Fiio E7 Amp/DAC
Power Supply 630w Dell T3600 PSU
Mouse Logitech G700s/G502
Keyboard Logitech K740
Software Linux Mint 20
Benchmark Scores Network: APs: Cisco Meraki MR32, Ubiquiti Unifi AP-AC-LR and Lite Router/Sw:Meraki MX64 MS220-8P
there is no spoon either!
 
Top