FTC Nails Asus for Failing Router Security

The Federal Trade Commission (FTC) and ASUSTeK Computer, Inc. have agreed to settle on beefing up home router security after critical flaws potentially affected hundreds of thousands of consumers.

Hackers could have allegedly exploited security vulnerabilities in both Asus routers and built-in cloud services for complete access to both network devices and data. Illicit router remote logins would have allowed hackers to install malicious code on household devices or monitor their traffic, potentially compromising any IoT (Internet-of-Things) device within the network.

“The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.”

The settlement follows a complaint in 2014, following a mass compromise of Asus routers that enabled hackers to gain remote access to 12,900 Asus routers in February 2014, and potentially countless other connected devices.

Poor password protection and other easily exploitable vulnerabilities, such as cross-site scripting and cross-site request forgery, have made Asus routers easy targets for cybercriminals. What’s more, file transfer protocols enabled by the router allegedly broadcasted unencrypted data over the network.

The FTC’s stance claimes Asus has broken federal law by failing to protect its customers and data. The settlement forces Asus to maintain a security program and collaborate with independent testers for the next 20 years.

“The Commission issues an administrative complaint when it has ‘reason to believe’ that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest,” reads the FTC announcement. “The proposed consent order will require ASUS to establish and maintain a comprehensive security program subject to independent audits for the next 20 years.”

For those of you with home routers – Asus ror not – here are a couple of tips for securing them:

• Change default login credentials to the administration console;
• Install the latest security updates and patches for your router;
• Limit access to network sharing features;
• Carefully review the router’s default settings during the set-up process.