The FTC has cautioned that a recent settlement holds lessons for companies involved in the Internet of Things. The settlement, announced on Tuesday, was reached with hardware manufacturer ASUS over concerns that its router products carried certain security vulnerabilities. Notably, in addition to alleging that ASUS’s actions violated promises to consumers, the FTC alleged that these actions were also “unfair” because they failed to implement reasonable security standards. As part of the Consent Order, ASUS agreed to implement a comprehensive security program that will be audited for 20 years, to cease all misrepresentations regarding its products’ security, and to clearly and conspicuously inform consumers about software updates or other steps they can take to protect themselves from security flaws.
The FTC first filed its Complaint against ASUS following a series of high-profile security incidents in which hackers placed a text file on thousands of users’ ASUS devices, informing the users that: “Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection.” According to the FTC, ASUS allegedly knew about the underlying vulnerability several months before this incident after being warned repeatedly by a security researcher, but did not adequately notify consumers even after an update was available. Further, the ASUS self-updating software allegedly told some consumers with out-of-date software that their software was already up-to-date, preventing them from downloading the patch to fix this and other vulnerabilities.
This was not the only critical security flaw described in the FTC’s Complaint. The FTC also alleged that the routers’ firmware and administrative consoles contained vulnerabilities that allowed attackers to gain unauthorized administrative control. Attackers allegedly exploited this vulnerability to, among other things, redirect users’ web traffic to malicious websites. According to the Complaint, although these attacks were well-known in the industry and to the company specifically, ASUS allegedly failed to perform any pre-release testing or implement known low-cost measures to protect its users.
Second, ASUS offers a cloud storage solution called AiCloud, marketed as a “private personal cloud for selective file sharing.” While this feature was purported to be password protected, using only the routers’ IP address, attackers could exploit a security flaw and remotely access files on the AiCloud service. Further, the attackers could recover customers’ router login credentials as plain text, enabling the attacker to alter the router’s settings as described above.
Third, ASUS offered another feature called AiDisk, which allowed users to plug USB devices into their routers to create a remotely accessible storage solution. The feature was marketed as a way to “safely secure and access your treasured data through your router.” Yet the FTC alleged that the service ran over FTP, which does not support encryption of data in transit, and the default option during setup was to allow “limitless access rights.” The setup process allegedly failed to explain to users that under this default setting, the contents of the users files would be accessible by anyone over the internet without a password. Even if the consumer changed the default to set limited access, the AiDisk setup process recommended that the consumer choose weak login credentials, such as the preset username “Family” and password “Family.” Consumers complained to the FTC that some information stored via AiDisk was indexed by search engines and even used to commit identity theft.
In a statement accompanying the settlement announcement, the FTC analogized the router to the “Grand Central Station” for the technology underlying the Internet of Things, and thus emphasized the importance of ensuring that these and other devices follow reasonable security guidelines. The FTC pointed interested businesses to its guide “Careful Connections: Building Security on the Internet of Things,” which we have previously covered on Inside Privacy.