Asus faces 20 years of audits over misleading router security claims

Taiwan computer maker Asus must undergo independent security audits for the next 20 years as part of a settlement over the sale of insecure routers.

Difficult to patch routers are the classic example of what can go wrong with the Internet of Things and now, following a settlement with the US Federal Trade Commission, ASUS is an example of what vendors may face for claiming networking equipment can protect consumers from hackers when they fail to take reasonable steps to secure software.

The complaint by the FTC alleges that ASUS didn’t address security flaws in its routers in a timely fashion and failed to tell customers about the risks those vulnerabilities exposed them to.

The settlement relates specifically to routers produced by ASUS or any device whose primary purpose is connecting other client devices to a network, as well as any related management software.

The FTC’s complaint against ASUS covers nearly every aspect of IoT security failures it has identified during workshops over the past. These include in-built security measures or “security by design”, authentication, encryption of data at rest and in transit, security leadership, the use of default passwords, and “product expiration dates” defined by the timeframe patches are guaranteed by a provider.

The regulator highlighted that it took issue with ASUS because routers are gateways to other networked devices in the home, but also hinted it is closely watching for violations among all Internet of Things device manufacturers.

“The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection.

“Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.”

The FTC’s complaint covers a number of security failures by ASUS discovered since 2014, including that it used the same default login credentials on every router — “admin” for username and password. It also accused ASUS of falsely claiming its personal cloud products AiCloud and AiDisk were secure when they in fact suffered from an authentication bypass flaw and password disclosure bug.

It also notes that researchers had discovered attacks in April 2015 that exploited flaws in the web interface of its routes that allowed the attackers to take control of the device’s web traffic.

While ASUS’s failures are noteworthy, the more interesting part are the actions it will be required to take as a result of the settlement and the signal that sends to the industry.

The order covers how ASUS represents security claims to the public, how it manages the security of its products internally, third-party audits, and how it communicates that a software update is available.

Firstly, ASUS must not misrepresent the extent to which it can secure products, and nor can it exaggerate the extent to which consumers can use the device to secure their network. ASUS also must not misrepresent that a device is using up-to-date software.

Read more: “Confusing” endpoint-security messaging obscuring privileged-account links: CyberArk

A second part requires Asus to establish a security program to address risks during the development of a product and its subsequent management. This includes designating an employee responsible for the program who should identify material internal and external risks to products if they are breached, as well as an assessment of safeguards to control these risks.

Third, ASUS must contract a qualified security professional to audit its products every second year for the next 20 years.

And fourth, ASUS will also be required to notify customers when a software update is available and if one isn’t how to mitigate a security flaw. As part of this component, ASUS must also give consumers an opportunity to register an email address or other information

The order will not be made final until the completion of a 30 day period for public comment.

The action against ASUS follows a similar settlement with Oracle over patching Java and claims that it misled consumers about the security of the product.

With data increasingly being stored in the cloud, it’s critical to be able to evaluate and manage the security of cloud solutions. Dropbox's Solutions Architect team are teaming up with the Symantec Information Protection group to discuss the latest industry best practices.

Register here for the February 25th webinar on* Managing enterprise cloud security.

Join us at the CSO Perspectives Roadshow in March.

  • Hear from International keynote speakers:Robert Lentz, and Graham Cluley,
  • A Security Awareness stream
  • 18 different interactive Security Exchange discussions

Join CSO for a day of networking with your peers, engaging and discussing topics relevant to you, hearing from some of the top worldwide IT Security leaders in the market and attending the exhibition floor to win some amazing prizes.

Register NOW

Join the CSO newsletter!

Error: Please check your email address.

Tags Vulnerabilitiesrouter securityInternet of ThingstaiwanasusencryptionIoT securityinternetUS Federal Trade CommissionauditsCSO Australia

More about ASUSCSODropboxFederal Trade CommissionFTCIT SecurityOracleSymantecUS Federal Trade Commission

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts