FTC Cracks Down on Poor Router Security

John Lister's picture

ASUS has agreed to government supervision for 20 years after exaggerating the security of its routers. Officials say the company put hundreds of thousands of computers at risk.

The company has agreed to a settlement in response to Federal Trade Commission (FTC) charges. The alleged breach of rules wasn't in the security flaws themselves, but rather that ASUS continuing to market the routers as "safe" was misleading to customers.

Among ASUS's bold claims was that its routers could "protect computers from any unauthorized access, hacking, and virus attacks." This turned out not to be the case because of security flaws in the system that lets users access their router settings through any Internet-connected PC.

All Routers Had Same Password

The FTC says it was too easy for hackers to take advantage and gain unauthorized access in this way, letting them intercept or redirect the user's communications. It also criticized ASUS for shipping passwords with the default setting of having both the username and password simply be "admin" - with no requirement for the user to change the password to something more secure. (Source: ftc.gov)

The complaint also highlighted a personal "cloud" feature which meant users could plug a portable hard drive into the router and then access the files from any computer on the local network.

However, it turned out the files were actually accessible from any Internet-connected computer by anyone who figured out the router's specific web address. One computer enthusiast who discovered this chose not to steal any files, but rather to save a text file to all the affected hard drives warning customers of the flaw. (Source: zdnet.com)

Customers Misled Into Leaving Routers Unpatched

Another problem was that a software update tool for the routers falsely told customers their router was up to date, when in fact newer updates were available with important security patches.

ASUS has agreed to overhaul its security program and appoint specific workers responsible for finding and fixing hacking risks. It has also promised not to mislead customers about the protection it offers.

The agreement also means an independent security professional will check ASUS's security program in three months and then once every two years until 2036.

While ASUS hasn't formally admitted any unlawful activity in this case, the terms of the settlement mean it would face a $16,000 penalty for breaching the agreement. As that would apply for each specific router involved in any breach, such fines would quickly mount up.

What's Your Opinion?

Do you own an ASUS router? Do you trust hardware manufacturers to do their part in keeping their equipment secure? Have you changed your router's password from the default setting?

Rate this article: 
Average: 5 (8 votes)

Comments

Dennis Faas's picture

It's good to see the FTC step up to the plate in cases like this. I'm just wondering how much effort it took for anyone to notice and report the wrong-doing, and how long it took the government to actually pursue the issue. At any rate, I'd like to see other tech companies be held accountable like this on a regular basis - Microsoft included.
matt_2058's picture

I agree with Mr Faas about holding companies accountable on a regular basis. I'd like to see this taken a step further, holding them to a strict 'truth in advertising'-type of obligation. Require disclosure of test configuration used to achieve the performance claims or provide something the consumer can use to determine the feasibility of those claims to their situation. Router wireless speed is one of the advertised specs that is almost impossible to achieve in normal use.