On Tuesday, FTC settled charges with Asus, where the hardware manufacturing company agrees to:
Undergo Independent Security Audits Once in 2 years, for the Next 2 Decades.
This action had been taken as the result of security negligence in Asus Wireless Routers that put the home and corporate networks of hundreds of thousands of consumers at risk.
If Asus is found to violate the agreement, the company could end up paying a civil penalty of up to $16,000 for each violation.
Asus Router Security Blunders
Since Asus markets its products under the label of Secure and Intelligent routers through its website, following flaws would splash its level of security and intelligence.
1. Default Username & Password: ADMIN
In 2014, a serious security issue had been brought to the public regarding the default password of Asus products. It was discovered that Asus had been shipping their routers with both Username and Password fields with "default" as preset.
Even a script kiddie with this predictable credential could gain the unauthorized access to any router and hack into victim’s network. In 2014, many Asus routers were compromised in such a manner.
Additionally, Asus did not bother to notify its customers to change the default usernames and passwords in order to maintain the security and privacy of their network.
2. Easily Hackable Router Admin Panel
During the investigation, the FTC uncovered that nearly all the security measures taken by Asus had been dodged.
One of the prevalent security vulnerability uncovered that allowed hackers to gain the admin panel and disable the security settings via the web interface.
3. Asus AiCloud & AiDisk Vulnerable to Remote Hacking
"Security Negligence" episodes of Asus are not yet over.
The cloud service offered by Asus named AiCloud and AiDisk also suffered from the critical vulnerabilities that allowed an attacker to access your Hard Disk remotely from any part of the world, resulting in complete system compromise.
AiCloud offers the customer to browse through the files (in a cloud) that facilitate users to use it as a mini-cloud after plugging the USB Hard drive into the router.
Man-in-the-Middle (MITM) attacks were easy to get executed in between because the login details were unencrypted during the transmission.
The issue had been reported back in January 2014, but ASUS did not advise its users to upgrade their firmware after patching up the vulnerability, which shows the clear case of negligence.
4. 'Check for Upgrades' is an Illusion
Regular updates are usually a vulnerability killer in all aspects. But it is different in the case of Asus.
According to the collective reports, FTC found that the button named "Check for Upgrades" is just a dummy without any special functions embedded.
It is believed that the administrators did not import the latest patches into the Upgrade database; making it available for its users via push; whenever a user scans for any notifications.
In short, hackers are licensed to mess with the security features of any Asus routers; hence after making an ice cake entry to the filthy admin policies of Asus Routers.
The FTC isn't just unhappy about ASUS's bogus security claims, but it’s also unhappy with the company's response time.
All the complaints under a nutshell are enough to figure out the laxity in security measures taken by Asus.
Internet of Thing (IoT) Devices at Risk
This situation of hallucinated security would become even worse when Internet of Thing (IoT) devices are compromised. Since routers are the gateway to the IoT devices, an attacker could easily execute the self-defined commands to those devices.
Jessica Rich, Director of the FTC's Bureau of Consumer Protection, says:
"The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks. Routers play a key role in securing those home networks, so it's critical that companies like ASUS put reasonable security in place to protect consumers and their personal information"
Asus made it very clear to follow the right path: To notify the users whenever any update is available and also provide appropriate instructions to protect its users.
The disclosure of these silly vulnerabilities is just an eye-opener for other Router vendors to buckle up the security of themselves as well as their customers.