The Federal Trade Commission (FTC) is actively trying to make sure that companies secure the software and devices that they provide to consumers, and Tuesday’s settlement with Taiwan-based hardware maker ASUSTeK Computer is one step towards that goal.
The complaint was raised after well-meaning hackers exploited a weakness on Asus routers and left note on victims’ drives notifying them of the matter. Later, a researcher discovered an exploit campaign that abused vulnerabilities to change vulnerable routers’ DNS servers.
The FTC complaint alleges that ASUS:
- Didn’t take reasonable steps to secure the software on its routers
- Incorporated design flaws that compounded the effect or vulnerabilities (e.g. they allowed consumers to retain default login credentials on the router)
- Advertised its AiCloud and AiDisk as secure cloud storage even though they sported vulnerabilities that made them patently insecure (poor default privacy settings, lack of encryption of files in transit, etc.)
- Did not address security flaws in a timely manner and did not notify consumers about the risks posed by the vulnerable routers or about the availability of security updates.
According to the settlement, the company will have to “establish and maintain a comprehensive security program subject to independent audits for the next 20 years.”
They will also have to notify consumers about software updates and protective steps they can take, and will have to provide consumers with the option to receive these notices promptly and directly via email, text message, or push notification.
“The consent order will also prohibit the company from misleading consumers about the security of the company’s products, including whether a product is using up-to-date software,” the FTC concludes.
Along with the details of the settlement, the FTC has also published a set of recommendations for Asus router owners, to help them to secure their devices. US-CERT has also some good security tips on how to secure home routers.
“The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” commented Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.”
Let’s hope that other IoT manufacturers will receive the same kind of attention by the FTC.