The FTC has said that ASUS has demonstrated a “failure to employ reasonable security practices [that] has subjected consumers to substantial injury.” The full statement by the Federal Trade Commission indicates that AsusTek misrepresented the security of its routers and of its cloud services. The FTC said that the exponential growth of the Internet of Things has made the router an important security gate to the consumer’s home network. The FTC cited ASUS’ failure this way:
ASUS marketed its routers as including numerous security features that the company claimed could ‘protect computers from any unauthorized access, hacking, and virus attacks’ and ‘protect [the] local network against attacks from hackers.’ Despite these claims, the FTC’s complaint alleges that ASUS didn’t take reasonable steps to secure the software on its routers.
The FTC also stated that hackers could use a vulnerability in the ASUS cloud service to bypass the login screen, gaining access to consumers’ accounts and connected devices. The result was felt in 2014:
In February 2014, hackers used readily available tools to locate vulnerable ASUS routers and exploited these security flaws to gain unauthorized access to over 12,900 consumers’ connected storage devices.
It’s reported elsewhere that hackers then published thousands of vulnerable ASUS routers and AiCloud accounts. Even that might not have created a problem for ASUS, except the FTC alleges that much of the problem is attributable to ASUS not performing in a reasonable manner in four ways.
- ASUS failed to notify customers of vulnerabilities, while marketing their routers and cloud services being secure.
- ASUS also failed to notify customers of security updates to fix known vulnerabilities.
- The router software to check for those updates very often indicated the customer’s software was up to date when there actually was a newer update available.
- Maybe most importantly, ASUS was lax in having security updates in a timely manner.
As a result, ASUS has agreed to a 20 year audit period of their security practices. Three months after the program goes into effect, ASUS will get its first security audit, then once every two years for the next 20 years. The FTC describes the details:
In addition to establishing a comprehensive security program, the consent order will require ASUS to notify consumers about software updates or other steps they can take to protect themselves from security flaws, including through an option to register for direct security notices (e.g., through email, text message, or push notification). The consent order will also prohibit the company from misleading consumers about the security of the company’s products, including whether a product is using up-to-date software.
Do you, or have you used ASUS networking hardware or cloud services? Is the 20 year audit time frame reasonable? Tell us what you think in the comments below or on Google+, Facebook, or Twitter.Source: FTC