Asus Must Hike Router Security: FTC
Wednesday, February 24, 2016 @ 12:02 PM gHale
As the Internet of Things (IoT) continues its growth curve, the Federal Trade Commission (FTC) wants to make sure products remain secure.
That is why they settled a complaint against Taiwan-based hardware maker ASUSTeK Computer.
The complaint came about after hackers exploited a weakness on Asus routers and left note on victims’ drives notifying them of the matter. After that, a researcher discovered an exploit campaign that abused vulnerabilities to change vulnerable routers’ DNS servers.
The FTC complaint said ASUS:
• Didn’t take reasonable steps to secure the software on its routers
• Incorporated design flaws that compounded the effect or vulnerabilities
• Advertised its AiCloud and AiDisk as secure cloud storage even though they sported vulnerabilities that made them patently insecure
• Did not address security flaws in a timely manner and did not notify consumers about the risks posed by the vulnerable routers or about the availability of security updates.
According to the settlement, the company will have to “establish and maintain a comprehensive security program subject to independent audits for the next 20 years.”
They will also have to notify consumers about software updates and protective steps they can take, and will have to provide consumers with the option to receive these notices promptly and directly via email, text message, or push notification.
“The consent order will also prohibit the company from misleading consumers about the security of the company’s products, including whether a product is using up-to-date software,” the FTC said.
Along with the details of the settlement, the FTC has also published a set of recommendations for Asus router owners, to help them to secure their devices.
“The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.”
This past summer an appellate court ruled the FTC has the legal right to sue companies that fail to protect their customers’ data with proper cyber security measures.
While the ruling was the result of a legal complaint and lawsuit by the FTC against Wyndham Hotels for failing to protect customer details, the affects could end up felt in the manufacturing automation sector along with other industries where companies blatantly ignore security safeguards.
The decision from the Third U.S. Circuit Court of Appeals is a legal confirmation of the FTC’s power over cyber security issues, and not “government overreach” as Wyndham claimed.