Friday, 26 February 2016 10:46

ASUS settles with FTC over thousands of insecure routers Featured

Image courtesy of Kaspersky Labs Image courtesy of Kaspersky Labs

Taiwanese based ASUS computers have settled a case with the US Federal Trade Commission regarding security flaws in its routers.

ASUS has agreed to rectify issues identified by the FTC and do its best to contact its router users. Its resolve will be tested as the FTC requires it to have biennial assessments from a 'qualified, objective, independent third-party professional' for twenty years - without which it won't be permitted to sell its networking products into the US.

The issues highlight a number of ASUS design flaws that exacerbated these vulnerabilities, including:

  • It set the same default passwords for every model of router and allowed consumers to retain them
  • It ignored vulnerability reports received from security researchers
  • It did not notify customers when security patches were available
  • Hackers could easily exploit a number of ‘bugs’ to access users' web-based control panels and change their security settings
  • During attempts to download firmware updates the software erroneously indicated that firmware was up-to-date when it was not
  • The AiDisk service allowed access FTP to USB devices attached to the router
  • The AiCloud service was insecure and could be accessed by other devices and gave a backdoor the router

But this has deeper and more ominous implications – read on.

iTWire makes it clear that this is a US case and is not aware of any such case in Australia. It also makes the point that this could be the tip of the iceberg for all router makers – especially consumer and SOHO routers – and all IoT device makers need to understand that consumer privacy and security is as important as enterprise security.

“The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.” The statement is here.

According to a 2014 report by Team Cymru over 300,000 consumer and SOHO routers in Europe and Asia had been compromised as part of a hacking campaign and became part of a massive botnet. These routers were made by a large number makers including TP-Link, D-Link, Micronet, Tenda and others. Another maker Linksys had a ‘worm’ attack its firmware via a Home Network Administration Protocol (HNAP) hack.

Many used the same underlying processors and architecture simply overlaying their user interface. Web-based administration interfaces were highly susceptible to brute force hacking but in the vast majority of cases router administration and login, passwords were left at default settings. Many also suffered from a Rom-0 vulnerability in the underlying ZyXEL’s ZynOS operating system.

The only way a user would know if their data usage had inexplicably increased over normal levels.

iTWire also makes it clear that the ASUS routers in question were circa 2014, but it has no specific knowledge of whether such vulnerabilities still exist in ASUS or other consumer or SOHO routers.

However, in recent tests on D-Link, NetGear and ASUS Wi-Fi AC routers (all using similar hardware and processors) the setup required administration logins and passwords to be changed from the defaults removing that method of access.

Today iTWire blew the cobwebs off some older N series routers circa 2014-15, and none required such changes – these are very dangerous and users of any brand router should change administrator and user passwords immediately.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Ray Shaw

joomla stats

Ray Shaw  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!



Recent Comments