Computer company ASUS has agreed to a 20-year consent order that requires it to upgrade its security programs in response to Federal Trade Commission charges that critical security flaws in its routers put the home networks of hundreds of thousands of consumers at risk.
The FTC's complaint also charges that the routers’ insecure “cloud” services led to the compromise of thousands of consumers’ connected storage devices, exposing their sensitive personal information on the internet.
“The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.”
ASUS marketed its routers as including numerous security features that the company claimed could “protect computers from any unauthorized access, hacking, and virus attacks” and “protect [the] local network against attacks from hackers.” Despite these claims, the FTC’s complaint alleges that ASUS didn’t take reasonable steps to secure the software on its routers.
For instance, the FTC said, hackers could exploit pervasive security bugs in the router’s web-based control panel to change any of the router’s security settings without the consumer’s knowledge.
The complaint specifies a number of other design flaws, including the fact that the company set – and allowed consumers to retain – the same default login credentials on every router: username “admin” and password “admin”.
According to the complaint, ASUS’s routers also featured services called AiCloud and AiDisk that allowed consumers to plug a USB hard drive into the router to create their own “cloud” storage accessible from any of their devices. While ASUS advertised these services as a “private personal cloud for selective file sharing” and a way to “safely secure and access your treasured data through your router,” the FTC’s complaint alleges that the services had serious security flaws.
The agency said that in many cases, ASUS did not address security flaws in a timely manner and did not notify consumers about the risks posed by the vulnerable routers. In addition, the complaint alleges that ASUS did not notify consumers about the availability of security updates.