Feds spank Asus with 20-year audit probe for router security blunder
One crappy vendor down, who's next?
Asus has settled its case with the US Federal Trade Commission (FTC) after hackers pwned nearly 13,000 home routers via an unpatched security flaw.
The case arose in February 2014, when miscreants used an easily exploitable flaw in Asus's home router line to take control of 12,900 systems in the US. An investigation by the FTC found a catalog of serious security failures in the company's firmware and some very dodgy practices when it came to updates.
"The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks," said Jessica Rich, Director of the FTC's Bureau of Consumer Protection. "Routers play a key role in securing those home networks, so it's critical that companies like ASUS put reasonable security in place to protect consumers and their personal information."
The FTC found [PDF] that Asus billed the routers as having security code that would "protect computers from any unauthorized access, hacking, and virus attacks" and "protect [the] local network against attacks from hackers." In practice however, the router's code was riddled with flaws that were easy to find.
Investigators found that a "pervasive security bug" in the router would allow an attacker to disable security settings remotely via a web-based control panel. Another researcher found the default login credentials on every router set the username and password to "admin," which is the first thing an attacker would try.
The FTC took particular issue with the AiCloud and AiDisk services offered by Asus. With AiCloud, owners could plug a USB hard drive into their router and use it as a mini cloud storage device – but so, it seems, could everyone else.
If an attacker got hold of a target's IP address, they could bypass the AiCloud security authorization screen by fiddling about with the URL used to access the drive. Man-in-the-middle attacks were also easy against AiCloud, since login details were transmitted in plaintext.
Asus first got complaints about this in June 2014, but didn't give customers any response when they asked for a workaround. When Asus issued a patch the following month, it didn't tell customers to upgrade their firmware for another eight months.
The AiDisk service also allowed access to USB devices attached to the router, but this time via FTP. The default setting for this was "limitless access rights," meaning less-savvy users inadvertently made the contents of the storage device available to anyone online provided they knew the right IP address.
If customers did want to lock down their data, Asus suggested they use weak credentials, with setting the username and password to "family" the default option. Again, login credentials were sent in plaintext.
In July 2013, a researcher contacted Asus to tell them that over 25,000 AiDisk devices were available online, and in January 2014 various media outlets picked up the story. But Asus only moved to change the default settings after a large retail buyer complained about the issue, and even then didn't let customers know until February.
That's not to say that upgrading the firmware was easy. The router's management console has a "check for upgrades" button, but the FTC investigation found that it was worse than useless. This was because Asus wasn't setting up the upgrade server properly, so that in many cases customers would check for upgrades and be told there were none, even though there was new code available.
In addition, it emerged that Asus didn't conduct any penetration testing of its firmware and lacked basic security systems like a time-out feature that would have blocked brute force password attacks.
As a result, hackers had a field day. In February 2014, a hacking team used free tools to scan for Asus router IP addresses and found 12,937 vulnerable bits of kit and slurped the login credentials for 3,131 AiCloud accounts before posting them online.
To settle the case, Asus now has to hire independent security testers to run a full audit of its router's firmware, and call them back in every two years for the next two decades to audit what the company is doing with its firmware.
It also must get in contact with existing customers to tell them about the need for firmware upgrades and to tell them about bug fixes within 30 days of them becoming available. If it violates this, the firm will have to pay $16,000 for every instance where it fails in the future.
All this is bad news for Asus, but other router manufacturers may also be in the FTC's firing line. It's clear Asus is not the only company making routers with lousy security, and the agency is likely to be investigating them too. ®