Taiwan computer maker Asus must undergo independent security audits for the next 20 years as part of a settlement over the sale of insecure routers.
Difficult to patch routers are the classic example of what can go wrong with the Internet of Things and now, following a settlement with the US Federal Trade Commission, ASUS is an example of what vendors may face for claiming networking equipment can protect consumers from hackers when they fail to take reasonable steps to secure software.
The complaint by the FTC alleges that ASUS didn’t address security flaws in its routers in a timely fashion and failed to tell customers about the risks those vulnerabilities exposed them to.
The settlement relates specifically to routers produced by ASUS or any device whose primary purpose is connecting other client devices to a network, as well as any related management software.
The FTC’s complaint against ASUS covers nearly every aspect of IoT security failures it has identified during workshops over the past. These include in-built security measures or “security by design”, authentication, encryption of data at rest and in transit, security leadership, the use of default passwords, and “product expiration dates” defined by the timeframe patches are guaranteed by a provider.
The regulator highlighted that it took issue with ASUS because routers are gateways to other networked devices in the home, but also hinted it is closely watching for violations among all Internet of Things device manufacturers.
“The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection.
“Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.”
The FTC’s complaint covers a number of security failures by ASUS discovered since 2014, including that it used the same default login credentials on every router — “admin” for username and password. It also accused ASUS of falsely claiming its personal cloud products AiCloud and AiDisk were secure when they in fact suffered from an authentication bypass flaw and password disclosure bug.
It also notes that researchers had discovered attacks in April 2015 that exploited flaws in the web interface of its routes that allowed the attackers to take control of the device’s web traffic.
While ASUS’s failures are noteworthy, the more interesting part are the actions it will be required to take as a result of the settlement and the signal that sends to the industry.
The order covers how ASUS represents security claims to the public, how it manages the security of its products internally, third-party audits, and how it communicates that a software update is available.
Firstly, ASUS must not misrepresent the extent to which it can secure products, and nor can it exaggerate the extent to which consumers can use the device to secure their network. ASUS also must not misrepresent that a device is using up-to-date software.Read more: “Confusing” endpoint-security messaging obscuring privileged-account links: CyberArk
A second part requires Asus to establish a security program to address risks during the development of a product and its subsequent management. This includes designating an employee responsible for the program who should identify material internal and external risks to products if they are breached, as well as an assessment of safeguards to control these risks.
Third, ASUS must contract a qualified security professional to audit its products every second year for the next 20 years.
And fourth, ASUS will also be required to notify customers when a software update is available and if one isn’t how to mitigate a security flaw. As part of this component, ASUS must also give consumers an opportunity to register an email address or other information
The order will not be made final until the completion of a 30 day period for public comment.
The action against ASUS follows a similar settlement with Oracle over patching Java and claims that it misled consumers about the security of the product.
With data increasingly being stored in the cloud, it’s critical to be able to evaluate and manage the security of cloud solutions. Dropbox's Solutions Architect team are teaming up with the Symantec Information Protection group to discuss the latest industry best practices.
Register here for the February 25th webinar on* Managing enterprise cloud security.
Join us at the CSO Perspectives Roadshow in March.
- Hear from International keynote speakers:Robert Lentz, and Graham Cluley,
- A Security Awareness stream
- 18 different interactive Security Exchange discussions
Join CSO for a day of networking with your peers, engaging and discussing topics relevant to you, hearing from some of the top worldwide IT Security leaders in the market and attending the exhibition floor to win some amazing prizes.