This router is the central station for home technology. It manages the connections between all the smart devices in the home, from the computer in the den and the tablet on the coffee table to the smart thermostat on the wall and the connected baby monitor in the nursery. Consumers want the route to be a limited-access highway, with routers securely forwarding data while blocking unauthorized access. But the Federal Trade Commission’s complaint against tech giant Asus Computer Co., known to most as ASUS, calls into question the company’s unfair and deceptive failure to ensure the security of routers and “cloud” services it sells to consumers. The case also provides insights for other businesses entering the IoT.
How ASUS promotes its products. Asus claims that its routers have numerous security features that can “protect the computer from any unauthorized access, hacking, and virus attacks” and “protect the computer from any unauthorized access, hacking, and virus attacks.” ”. [the] The local network is protected from hacker attacks. But according to the FTC, Asus’ routers didn’t live up to those promises. What’s more, the company’s routers include services called AiCloud and AiDisk, which allow consumers to plug USB hard drives into the router to create their own ” Cloud storage that can be accessed from any device – a central storage hub for your smart home. While Asus promotes these services as a “private personal cloud for selective file sharing” and a way to “securely protect and access your precious data through the router,” the FTC claims they are not secure at all.
What’s wrong with the ASUS router?. Although routers play a vital role in protecting home networks, the Federal Trade Commission said Asus did not take basic steps to protect the software on its routers. For example, consumers manage their routers (including those security features) through a Web-based interface we call the management console. However, by exploiting common security holes in the management console, hackers can change the router’s security settings and even turn off the router’s firewall, enable public access to consumer “cloud” storage, or configure the router to exclude consumers from Redirect to malicious website. In fact, an exploit campaign specifically targeting numerous Asus router models does just that, reconfiguring vulnerable routers to allow hackers to take control of consumers’ web traffic. As the complaint alleges, instead of protecting consumers’ home networks, Asus’ routers have allowed hackers to wreak havoc on them.
ASUS’s unsafe “cloud” service. ASUS’s “cloud” storage service is also not secure. According to the FTC, anyone who knows the router’s IP address (a walk in the park for a hacker) can bypass the AiCloud service’s login screen and access a consumer’s storage device without any credentials. Make consumer documents publicly available online. AiDisk doesn’t fare much better. The Federal Trade Commission challenged the service because it relied on an insecure protocol and had a confusing setup process and unsafe default settings. For example, when a consumer turns on the service, by default it provides unauthenticated access to all files on the consumer’s storage device to anyone on the network. To make matters worse, the settings wizard doesn’t explain these preset settings or make it clear what’s going on. Not to mention, if a consumer attempts to create a restricted account, the service defaults everyone’s login credentials to the same weak username and password (Family/Family). All of these security holes and design flaws spell big trouble for consumers.
ASUS responded slowly and failed to notify consumers. The FTC said many of the problems could have been avoided if Asus had followed well-known secure software design, coding and testing practices. What’s more, security researchers have contacted Asus to issue warnings, but it often takes Asus months or even more than a year to respond. For example, when a researcher reports that he estimates that 25,000 consumers have AiDisk storage devices that are publicly accessible on the Web, that’s Asus’ cricket. In fact, it wasn’t until a plea from a major European retailer that Asus started paying attention to the issue. By then, it’s too late.
Even more troubling, the FTC said, Asus failed to notify consumers when it developed security patches. The router’s management console has a tool that allows people to check whether their router is using the latest available firmware (the software built into the router). But as the researchers warned Asus, the upgrade tool didn’t work as well as it should. According to the complaint, more than a year later, consumers are still receiving the message “The router’s current firmware is the latest version” when new firmware with critical security updates becomes available.
Thousands of routers compromised. That means Asus’ routers and “cloud” services leave consumers’ home networks and personal files at the mercy of hackers and identity thieves. You can guess what happened next. Hackers used tools to locate the IP addresses of thousands of vulnerable Asus routers, and this is where the story gets really interesting. They exploited vulnerabilities in AiCloud and design flaws in AiDisk to gain unauthorized access to thousands of consumers’ USB storage devices. But they didn’t come and go quietly. They left a text file on the device that read: “This is an automated message sent to everyone affected [sic]. Anyone in the world with an internet connection can access your ASUS router (and your files). “
Asus’s security claims may be deceptive, but one thing is proving to be true: hackers warned that anyone in the world could access consumer routers and files. For example, one consumer reported that identity thieves used sensitive information on his USB storage device, including tax returns and other financial information, to charge unauthorized fees and obfuscate his identity. Others complained that a major search engine had indexed personal files exposed by their vulnerable Asus routers, making them searchable online.
FTC Complaint. The lawsuit challenges Asus’ claims that it takes reasonable steps to ensure its routers protect consumers’ local networks from attacks, that AiCloud and AiDisk are secure ways for people to access sensitive information, and that its firmware upgrades are false or misleading. Tools are accurate. The complaint also alleges that Asus unfairly failed to take reasonable steps to protect the security of its router software.
How ASUS will change. The proposed order includes the safety provisions that have become standard in FTC settlements, but there is more. Asus must notify consumers if they can take software updates or other steps to protect themselves from future security vulnerabilities. Importantly, the settlement agreement makes clear that posting a notice on its website alone will not be sufficient. (Who regularly visits a router manufacturer’s website?) In addition, the proposed order would require Asus to provide a way for consumers to sign up to receive security notifications via direct communications, such as email, SMS, or push notifications. In the Internet of Things, where consumers often “set it and forget it,” these types of direct communications can be a key tool in ensuring consumers are informed. You may submit comments on the settlement until March 24, 2016.
If your company is interested in IoT, this story offers six tips for staying connected discreetly.
- Start with safety. While Asus’ routers suffer from many classic vulnerabilities, AiDisk’s problems go beyond bugs or glitches. According to the complaint, the company was insecure from the start because it chose insecure protocols and its user interface was confusing and insecure. Yes, you want to get your product to market as quickly as possible, but take the time to design for security from the beginning. This is an especially important consideration in the Internet of Things, where the insecure design of one product can affect multiple connected devices.
- Design your products through the eyes of your customers. If you sell home connected products, your customers may range from novices to professionals. So how do developers communicate with people on both ends? This is a point to consider. Less tech-savvy consumers often complain that products are too complex. But have you ever heard experienced users complain that an interface is too clear or too direct?
- Make it easy for people to choose safer options from the start. Please pay special attention to the security implications of default values and setup procedures. Consumers frustrated by complex screen mazes may configure their devices incorrectly or may stick with out-of-the-box options. That’s why it’s dangerous to default a system to “open” or unsafe, as is the case with AiDisk. It’s great to have customizable features for the tech-savvy, but smart developers will default to security benefits.
- Heed the safety warnings. In a number of recent cases, the FTC noted that the company failed to address credible alerts about potential product vulnerabilities. When a security issue is brought to your attention, it is wiser to investigate and, if the issue turns out to be correct, contact the customer immediately.
- Think carefully about how you will let consumers know about fixes. Suppose someone discovers a problem and you design a patch to solve it. This is an important first step, but the work is not done yet. Security patches are only effective if installed by the customer. Forward-thinking developers create what-if contingency plans to address the challenge of notifying people after the fact.
- Learn from other FTC cases. According to the U.S. Federal Trade Commission There is no one-size-fits-all formula for starting with a secure release. But each data security complaint offers lessons about practices that can lead to trouble in some cases. Paragraph 30 of Asus’ complaint outlines dozens of them, including weak default login credentials, choosing insecure protocols when more secure protocols are available, skipping industry-approved testing and failing to implement low-cost protection against well-known vulnerabilities .
Looking for more tips? Read Connect Carefully: Building IoT Security.
3 Comments
Pingback: ASUS case suggests 6 things to pay attention to in the Internet of Things – Tech Empire Solutions
Pingback: ASUS case suggests 6 things to pay attention to in the Internet of Things – Paxton Willson
Pingback: ASUS case suggests 6 things to pay attention to in the Internet of Things – Mary Ashley