Thousands of Asus router owners found a text file that was disturbing saved to their devices, in February 2014.
The message read, “This is an automated message being sent out to everyone affected [sic]. Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection. The anonymous sender then urged the readers to visit a site that explained more about the router vulnerability.”
This Tuesday, the US FTC settled the charge that alleges that the hardware manufacturer did not protect consumers as required under federal law. There was a complaint that said the mass compromise in 2014 was caused by vulnerabilities that let attackers log into routers remotely, and depending on the user configuration, access files that are stored on devices that are connected or change security settings.
The settlement resolves this complaint. Under the agreement, Asus is going to maintain a inclusive security program that will be subject to independent audits over the next 20-years.
The action should really serve as a wake-up call for the router makers, but also for that entire industry that is involved in the current wave to make Internet connectivity available to watches, refrigerators, and a host of other everyday devices. Over the last couple of years, researchers have exposed a series of security defects that have made it possible for these devices to be hijacked remotely by attackers.
Hackers can often use their position to install malicious code or to sneakily monitor the comings/goings of the owner. 30-days after Asus users had the warning message delivered, researchers were able to uncover proof that over 300,000 homes/small-office routers manufactured by TP-Link, Micronet, D-Link, Tenda, , and others had been compromised.
Director of the FTC’s Bureau of Consumer Protection, Jessica Rich, said, “The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks. Routers play a key role in securing those home networks, so it’s critical that companies like Asus put reasonable security in place to protect consumers and their personal information.”
Asus password protection was weak
According to the complaint, the Asus password protection was very easy to bypass vulnerabilities, either by exploiting cross site scripting or cross site request forgery or supplying a vulnerable router with a special URL that was to be accessed only after the credentials were entered.
Also, the FTC attorneys challenged password advice that Asus manuals provided, which in one situation told users secure files could be accessed on the router using the user name “family” and the password ‘family.’
The files were available through AiDisk and AiCloud services. They let users plug a hard drive into the router to making these files available to other connected devices. Asus marketed this service as a safe, secure private personal cloud for selective file sharing, through the router. It did not warn that the services had vulnerabilities that were easy-to-exploit. AiDisk relied on the implementation of file transfer protocol that did not encrypt data while it travelled through the network.
The FTC complaint said that Asus failed to perform penetration tests on its products to determine if they were vulnerable to common attacks across the Internet. The settlement on Tuesday should serve as a reminder for all of them to secure their devices.