ASUS Settles FTC Charges on Router Security

The FTC announced a settlement with ASUS on router security settings that left the personal data of 12,900 consumers’ publicly available. ASUS agreed to 20 years of periodic security audits along with fines of $16,000 per incident that could reach as much as $206 million in civil penalties.

Asus marketing material boasted its routers “protect computers from any unauthorized access, hacking, and virus attacks” and “protect [the] local network against attacks from hackers.”

The FTC’s proposed consent order will require Asus to “establish and maintain a comprehensive security program subject to independent audits for the next 20 years.” Based on the FTC’s claim that “hackers used readily available tools to locate vulnerable Asus routers and exploited these security flaws to gain unauthorized access to over 12,900 consumers’ connected storage devices” Asus may be on the hook to pay a civil penalty of up to $16,000 per incident or $206,400,000.

The FTC said, impacted Asus router owners have until March 24 to publicly comment on the proposed Asus settlement before the measure is enforced 30 days after the deadline.

“With so many devices being connected to the home network, routers are the consumer’s first line of defense,” said Nithan Sannappa, senior attorney at the FTC’s division Privacy and Identity Protection in an interview with Threatpost.

Sannappa said Asus’s security lapses caused real harm to consumers ranging from the exposure of sensitive files on the internet to identity theft. In numerous cases, Sannappa said, consumers’ personal files stored using Asus’s AiDisk FTP feature were indexed by a major search engine and accessible to anyone.  In at least one case, a consumer reported being the victim of identity theft when tax returns and other financial information were stolen from his storage device.

A Litany Of Security Failures

According to the original 2014 FTC complaint (PDF), Asus failed to protect consumers on multiple levels. For starters, Asus password protection was easy to bypass leading to reports of cross-site request forgery or cross-site scripting vulnerabilities.

At the time, some Asus customers complained that attackers changed their router security settings and modified the routers’ domain name server settings so that internet traffic could be routed to malicious malware laden sites.

A feature called AiCloud and AiDisk allowed you to plug a USB storage device into Asus routers. Asus advertised the feature as a “private personal cloud for selective file sharing” and a way to “safely secure and access your treasured data through your router.” However, the FTC said because the service relied on an insecure FTP implementation that didn’t encrypt data as it traveled over the network it allowed attackers to gain unauthorized access to 12,900 Asus routers.

Also problematic to the FTC was the fact when consumers attempted to download firmware updates for their Asus routers the software erroneously indicated their firmware was up-to-date when in fact updates were available.

Troubling signs for Asus router owners trace back to 2013 when security researcher Kyle Lovett posted a threat report that Asus routers were open to remote attacks because of vulnerabilities in the AiCloud service bundled with the hardware. Soon after, things went from bad to worse for Asus. In February 2014, an unknown hacker saved a text file to thousands of Asus router owners that read in part: “Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection.”