ASUS Settles FTC Case Over Router Security Breaches

By John DiGiacomo

The Internet of Things

The Internet of Things is an increasingly expanding network of physical objects that have the ability to connect to the internet. When embedded with software, everyday electronics like washing machines, lamps, and watches can have the ability to connect to the internet and communicate, allowing remote access to the object. This technology has expanded beyond commercial products and has penetrated the industrial market such as use in drills of oil rigs and optimization of supply chain networks. Additionally, consumers have the ability to hook up their houses to the Internet of Things, allowing owners remote access to their security systems and any other connected device. If these systems are compromised due to ineffective router security, there is no limit to the amount of information or data that could be at risk.

Risky ASUS Routers

Among the vulnerabilities of the ASUS routers, an attacker had the ability to remotely access the routers in order to alter security settings and configurations. This would allow the attacker to access files stored on the connected devices. According to the complaint, a hacker had the ability to bypass the password protection of these routers and make changes without the owner knowing. ASUS marketed its routers claiming it had various security features that protected customers from unauthorized access and attacks; however, the FTC claims that the company did not take the appropriate steps to ensure customer protection.

In particular, the ASUS cloud-based systems were at risk. Through ASUS’s AiCloud system, owners have the ability to plug a USB hard drive into their router and create a cloud storage device that allows them access from anywhere. By exploiting a vulnerability in the AiCloud service, a hacker could bypass the login screen and access any information stored by the owner. Additionally, the FTC’s charges stated that ASUS did not adequately encrypt consumer files that were transferred from one device to another, allowing public access to these files to anyone with an internet connection.

Settlement Terms

We’ve written previously here, about the FTC’s authority. Under the terms of its settlement with the FTC, ASUS must maintain a comprehensive security program that is subject to independently performed audits for the next 20 years. In addition to the security program, the FTC is ordering that the company educate its customers about software updates and measures they can take to prevent security flaws. One way ASUS can help educate customers is through offering direct security notices (through email, text message, etc.) to ensure its customers are adequately protected. Finally, the FTC’s order will prevent the company from making any misleading statements or claims regarding the security of its products.

Now that the Internet of Things is expanding, and potentially any electronic can be manufactured to include internet connectivity, the need for consumer protection is at an all-time high. The FTC is making an ongoing effort to protect consumers from insecure software and devices. This settlement sends a message to all producers that information and data security must be a top priority when developing their products.

For more information about the Internet of Things and staying protected, contact Revision Legal’s team of experienced Internet attorneys through the form on this page, or call 855-473-8474.

Image courtesy of Flickr user Sam Churchill.

Put Revision Legal on your side

LET’S DISCUSS YOUR CASE