Asus lawsuit puts entire industry on notice over shoddy router security

In February 2014, thousands of Asus router owners found a disturbing text file saved to their devices.

"This is an automated message being sent out to everyone effected [sic]," the message read. "Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection." The anonymous sender then urged the readers to visit a site that explained more about the router vulnerability.

On Tuesday, the US Federal Trade Commission settled charges that alleged the hardware manufacturer failed to protect consumers as required by federal law. The settlement resolves a complaint that said the 2014 mass compromise was the result of vulnerabilities that allowed attackers to remotely log in to routers and, depending on user configurations, change security settings or access files stored on connected devices. Under the agreement, Asus will maintain a comprehensive security program subject to independent audits for the next 20 years.

Wake-up call

The action should serve as a wake-up call, not just for other router makers, but entire industries tied to the so-called Internet of Things wave that's adding Internet connectivity to refrigerators, watches, and other everyday devices. Over the past few years, researchers have uncovered a litany of security defects that make it possible for such devices to be remotely hijacked by attackers. Often, the hackers can use their position to install malicious code on the devices or to surreptitiously monitor the comings and goings of the owners. A month after Asus users received the ominous message, researchers uncovered evidence that more than 300,000 home and small-office routers made by D-Link, Micronet, Tenda, TP-Link, and others had been compromised.

"The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks, Jessica Rich, director of the FTC's Bureau of Consumer Protection, said in a statement. "Routers play a key role in securing those home networks, so it's critical that companies like Asus put reasonable security in place to protect consumers and their personal information."

According to the complaint, Asus password protection was often easy to bypass, either by supplying a vulnerable router with a special URL that was supposed to be accessed only after credentials were entered or by exploiting cross-site request forgery or cross-site scripting vulnerabilities. FTC attorneys also challenged password advice provided in Asus manuals, which in one case suggested users secure files accessible on a router with the user name of "family" and an identical password.

The files were available through services called AiCloud and AiDisk. They allowed users to plug a hard drive into the router to make files accessible to other connected devices. Asus marketed the services as a "private personal cloud for selective file sharing" and a way to "safely secure and access your treasured data through your router" even though the services had easy-to-exploit vulnerabilities. What's more, in the case of AiDisk, the service relied on a file transfer protocol implementation that didn't encrypt data as it traveled over the network.

According to the FTC, the vulnerabilities allowed attackers to gain unauthorized access to 12,900 Asus routers in February 2014. At least one user whose router was hacked reported being the victim of identity fraud after hackers accessed personal data attached to the device, the complaint alleged. During the previously mentioned hack a month later that compromised 300,000 routers from other manufacturers, the attackers used their access to change security settings. One such change included modifying routers' domain name server settings that translate human-friendly domain names into the numerical IP addresses used by computers. Such changes can cause connected computers to visit malicious imposter sites that steal passwords or install malware rather than the official destination created by the site owner.

The FTC complaint said Asus failed to perform penetration tests on its products to test if they were vulnerable to common attacks on the Internet. It's almost certainly the case that scores or even hundreds of Asus competitors make the same omissions. Tuesday's settlement should serve as a wake-up call for all of them to secure their devices or face decades of federal oversight.