Taiwan-based Asustek Computer, or Asus, will be subject to 20 years of independent security audits, as part of a settlement it has reached with US Federal Trade Commission (FTC).
According to an announcement that was made on February 23, the settlement addresses security vulnerabilities and negligent practices related to Asus routers and accompanying services. According to the FTC, critical security flaws in Asus routers put the home networks of “hundreds of thousands” of consumers at risk.
The consent agreement is a 12-page document that comprises of everything that Asus will be doing for the next 20 years. “The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said in Feb. 23 statement. “Routers play a key role in securing those home networks, so it’s critical that companies like Asus put reasonable security in place to protect consumers and their personal information.“.
The complaint that is not dated at the moment was filed against Asus. In that the FTC alleges, among other things:
- An Asus design flaw allowed consumers to continue to use default login credentials — username: admin, password: admin — that was the same on all of its routers.
- Asus didn’t notify consumers about available security updates. Often, it told consumers that their router software was up to date when a critical security update was available.
- Asus offered services called AiCloud and AiDisk that allowed consumers to create their so-called own private cloud storage, available from any device, by plugging in a USB drive. But the services included “multiple vulnerabilities that would allow attackers to gain unauthorized access to consumers’ files and router login credentials.”
- A password vulnerability in the AiCloud application made it possible for hackers to retrieve users’ login credentials and modify router settings, leaving users vulnerable to cross-site request forgery (CSRF). Moreover, Asus didn’t implement “well-known, low-cost measures to protect against them, such as anti-CSRF tokens … which allow a server to reject forged requests sent by attackers.”