ASUS has agreed to rectify issues identified by the FTC and do its best to contact its router users. Its resolve will be tested as the FTC requires it to have biennial assessments from a 'qualified, objective, independent third-party professional' for twenty years - without which it won't be permitted to sell its networking products into the US.
The issues highlight a number of ASUS design flaws that exacerbated these vulnerabilities, including:
- It set the same default passwords for every model of router and allowed consumers to retain them
- It ignored vulnerability reports received from security researchers
- It did not notify customers when security patches were available
- Hackers could easily exploit a number of ‘bugs’ to access users' web-based control panels and change their security settings
- During attempts to download firmware updates the software erroneously indicated that firmware was up-to-date when it was not
- The AiDisk service allowed access FTP to USB devices attached to the router
- The AiCloud service was insecure and could be accessed by other devices and gave a backdoor the router
But this has deeper and more ominous implications – read on.
iTWire makes it clear that this is a US case and is not aware of any such case in Australia. It also makes the point that this could be the tip of the iceberg for all router makers – especially consumer and SOHO routers – and all IoT device makers need to understand that consumer privacy and security is as important as enterprise security.
“The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.” The statement is here.
According to a 2014 report by Team Cymru over 300,000 consumer and SOHO routers in Europe and Asia had been compromised as part of a hacking campaign and became part of a massive botnet. These routers were made by a large number makers including TP-Link, D-Link, Micronet, Tenda and others. Another maker Linksys had a ‘worm’ attack its firmware via a Home Network Administration Protocol (HNAP) hack.
Many used the same underlying processors and architecture simply overlaying their user interface. Web-based administration interfaces were highly susceptible to brute force hacking but in the vast majority of cases router administration and login, passwords were left at default settings. Many also suffered from a Rom-0 vulnerability in the underlying ZyXEL’s ZynOS operating system.
The only way a user would know if their data usage had inexplicably increased over normal levels.
iTWire also makes it clear that the ASUS routers in question were circa 2014, but it has no specific knowledge of whether such vulnerabilities still exist in ASUS or other consumer or SOHO routers.
However, in recent tests on D-Link, NetGear and ASUS Wi-Fi AC routers (all using similar hardware and processors) the setup required administration logins and passwords to be changed from the defaults removing that method of access.
Today iTWire blew the cobwebs off some older N series routers circa 2014-15, and none required such changes – these are very dangerous and users of any brand router should change administrator and user passwords immediately.