FTC Dings ASUS For Selling 'Secure' Routers That Shipped With Default Admin/Admin Login (And Other Flaws)

from the wherein-a-personal-'AiCloud'-is-really-'Anyone'sCloud' dept

Tue, Feb 23rd 2016 1:43pm — Tim Cushing

The FTC has stepped up to smack ASUS down for selling "secure" routers that were about as impregnable as a child's couch fort.

[A]ccording to the complaint, hackers could exploit pervasive security bugs in the router’s web-based control panel to change any of the router’s security settings without the consumer’s knowledge. A malware researcher discovered an exploit campaign in April 2015 that abused these vulnerabilities to reconfigure vulnerable routers and commandeer consumers’ web traffic.

That's not all. ASUS's security "best practices" apparently included credentials pulled from annual "Worst Passwords" lists.

The complaint also highlights a number of other design flaws that exacerbated these vulnerabilities, including the fact that the company set – and allowed consumers to retain – the same default login credentials on every router: username “admin” and password “admin”.

This, unfortunately, isn't just an ASUS problem. Far too many devices, whether marketed to home users or professionals, ship with terrible default credentials and very few of them demand the end user alter the login before putting the product to use.

As for ASUS, the list of insecurities goes on and on.

According to the complaint, ASUS’s routers also featured services called AiCloud and AiDisk that allowed consumers to plug a USB hard drive into the router to create their own “cloud” storage accessible from any of their devices. While ASUS advertised these services as a “private personal cloud for selective file sharing” and a way to “safely secure and access your treasured data through your router,” the FTC’s complaint alleges that the services had serious security flaws.

For example, the complaint alleges that hackers could exploit a vulnerability in the AiCloud service to bypass its login screen and gain complete access to a consumer’s connected storage device without any credentials, simply by accessing a specific URL from a Web browser. Similarly, the complaint alleges that the AiDisk service did not encrypt the consumer’s files in transit, and its default privacy settings provided – without explanation – public access to the consumer’s storage device to anyone on the Internet.

ASUS's insecure products are no different than countless others offered by competitors. Far too many companies view end user security as something that can always be patched into existence after the first big breach. Why the FTC has chosen to hang ASUS rather than any number of other misbehaving tech manufacturers isn't clear, but it could be this is just the first in a wave of settlements.

The FTC isn't just unhappy about ASUS's bogus security claims. It's also unhappy with the company's response time. The complaint notes ASUS failed to act quickly in response to reported security holes.

In June 2013, a security researcher publicly disclosed that, based on his research, more than 15,000 ASUS routers allowed for unauthenticated access to AiDisk FTP servers over the internet. In his public disclosure, the security researcher claimed that he had previously contacted respondent about this and other security issues. In November 2013, the security researcher again contacted respondent, warning that, based on his research, 25,000 ASUS routers now allowed for unauthenticated access to AiDisk FTP servers. The researcher suggested that respondent warn consumers about this risk during the AiDisk set up process. However, ASUS took no action at the time.

[...]

It was not until February 2014 – following the events described in Paragraph 32 [the posting of text files to unsecured end user USB devices by the hackers who discovered the flaw] – that respondent sent an email to registered customers notifying them that firmware updates addressing these security risks and other security vulnerabilities were available. Furthermore, it was not until February 21, 2014 that ASUS released a firmware update that would provide some protection to consumers who had previously set up AiDisk. This firmware update forced consumers’ routers to turn off unauthenticated access to the AiDisk FTP server.

Because of this, ASUS is going to spend the next two decades maintaining a "comprehensive security program" subject to independent audits. An FTC official's statement suggests the agency's settlement with ASUS carries symbolic weight as well -- the mounting of ASUStek's head on a pike as a warning to the ever-expanding Internet of Easily-Compromised Things.

“The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.”

Hopefully, ASUS will build better, safer products in the future because of this. But considering this settlement comes two years after ASUS's eight-month delayed reaction to notifications it received in June of 2013, users are still better off taking security in their own hands, rather than waiting for companies or regulatory agencies to intercede on their behalf.

FTC-ASUS-Complaint (PDF)FTC-ASUS-Complaint (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: admin, ftc, security
Companies: asus

28 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

That One Other Not So Random Guy, 23 Feb 2016 @ 2:13pm

"Cloud"
Anything with the word cloud in it cant be trusted.
[ link to this | view in chronology ]
- John Fenderson (profile), 23 Feb 2016 @ 7:22pm
  
  Re: "Cloud"
  This had nothing to do with the cloud anyway -- ASUS was just lying. Sadly, this was worse.
  [ link to this | view in chronology ]
- Mason Wheeler (profile), 24 Feb 2016 @ 8:02am
  
  Re: "Cloud"
  The term "head in the clouds" comes to mind...
  [ link to this | view in chronology ]
WDS (profile), 23 Feb 2016 @ 2:21pm

Personal Responsibility
I just got a new commercial firewall for work from a respected security company that had the admin admin defaults. The other problems that ASUS routers have, I blame on them, but the leaving the admin password at the default is a user problem, as is not turn of the management access on the WAN link.

While the new firewall does not make you change the default password, it does nag you until you do.
[ link to this | view in chronology ]
- WDS (profile), 23 Feb 2016 @ 2:24pm
  
  Re: Personal Responsibility
  "not turn of" should be "not turning off". Why do I not see these errors until the moment I press the submit button.
  [ link to this | view in chronology ]
  - Anonymous Coward, 23 Feb 2016 @ 2:26pm
    
    Re: Re: Personal Responsibility
    "Why do I not see these errors until the moment I press the submit button."
    
    Isn't that supposed to be a question?
    
    Perhaps it's a design flaw. :)
    [ link to this | view in chronology ]
    - WDS (profile), 23 Feb 2016 @ 2:37pm
      
      Re: Re: Re: Personal Responsibility
      "Perhaps it's a design flaw. :)"
      
      Yes, most likely a design flaw in me.
      [ link to this | view in chronology ]
  - Anonymous Coward, 23 Feb 2016 @ 2:45pm
    
    Re: Re: Personal Responsibility
    Why do I not see these errors until the moment I press the submit button.
    It's because after you edit your words carefully, and hit preview, and edit some more, and preview again—you're just too damn impatient to get up from your chair, and walk away for a minute.
    
    You could get up for another cup of coffee, re-read your words one last time, and then hit submit. But that would slow the conversation down.
    [ link to this | view in chronology ]
- Capitalist Lion Tamer (profile), 23 Feb 2016 @ 2:32pm
  
  Re: Personal Responsibility
  I agree it's a user problem. But I think companies who claim to care about security should at least push users towards changing the default login before the device can be put to use, if not prevent its operation until the default has been changed.
  
  I understand why they might not want to implement this, as future breaches would be almost solely their responsibility, rather than the end user's.
  [ link to this | view in chronology ]
  - Anonymous Coward, 23 Feb 2016 @ 3:36pm
    
    Re: Re: Personal Responsibility
    That may be the reason. If it's not their fault, they can't be sued for it. [dull, shambling zombie CEO]The stockholders don't like it when we spend money that doesn't bring a profit.[/dull, shambling zombie CEO]
    [ link to this | view in chronology ]
  - JoeCool (profile), 23 Feb 2016 @ 10:14pm
    
    Re: Re: Personal Responsibility
    The problem is that people LIKE simple passwords. ADMIN/ADMIN is exactly the kind of password many companies/agencies like (e.g., the DOD's username/password for decades of DOD/DOD).
    
    I'd bet you real money that if they made the username/password something like &^%^JBSFJBIREUYT*(&R#YT*&R#YT$AY/*()&*FDJNFKJDBFIT$#^*&T#*^T%*, people would change it the very first instant they can! ... unfortunately to something like ADMIN/ADMIN. ;) :D
    [ link to this | view in chronology ]
  - Anonymous Coward, 24 Feb 2016 @ 11:12am
    
    Re: Re: Personal Responsibility
    Even better is to have every single device have a unique default password. This way if someone just plugs it in and never changes any options its still fairly secure
    
    There are plenty of unique IDs on each device that could be used to generate a password, MAC addresses, Serial Numbers, etc.
    [ link to this | view in chronology ]
Anonymous Coward, 23 Feb 2016 @ 3:02pm

DD-WRT had a similar default admin login but as soon as you get in for the first time, it requires you to change the password.
[ link to this | view in chronology ]
- Chronno S. Trigger (profile), 23 Feb 2016 @ 7:27pm
  
  Re:
  They don't even do that any more. The first thing DD-WRT does is make you set the username and password. They even go one step further and hide the username.
  
  Still the only router software that I've ever seen that requires setting the password. All others, professional or residential, have default passwords that can be found by a simple Google search.
  [ link to this | view in chronology ]
Anonymous Anonymous Coward, 23 Feb 2016 @ 3:47pm

Responsible Rounter Configuration
If router manufacturers were going to be completely responsible, they would ship their routers with the firewalls set to deny everything. Then when the typical end user tries to connect to anything, it won't go through. Those companies rating will tank, their returns would skyrocket and everyone will blame it on them, but they just did the secure thing.

Even if they leave Port 80 open so that people could at least connect to the Internet and try to look up a solution, the complaints will fall around my email doesn't work, my game doesn't connect, your router sux big time, where are my instant messages?, etc.

No amount of instruction will help the average user. Just finding out what ports to open and when is beyond the average user. Then try to get them to understand UDP vs TCP and whether in or out for either is correct, which depends upon the application. Maybe a script could be written that asks sensible questions and does the right thing, but I have yet to see it. Windows firewall had something like that, but it opened things without my permission and against my will as well, so that doesn't answer.

My ISP provided router has a firewall, and it has about 50 settings for games from the last decade or so set to open, when I don't have any of those games. So I have to go through and close them all, and in that process I run into things I have never heard of, and I have been building my own computers since the early 90's and have a higher than average capability (I am NOT however claiming to actually be a competent tech, just an experienced user).

Computer security needs to be better. We should have started with the OS's, but we didn't. We should have included the Internet, but we didn't. We should have standards that manufacturers should follow, but they are suggestions not requirements. There should be a way for the less than average user to get their machine configured for the things they want to do, but we are too busy building the latest and greatest to make the existing more readily usable.

There is no cost effectiveness in making the existing better. The cost effectiveness is in selling users more stuff.
[ link to this | view in chronology ]
- Anonymous Anonymous Coward, 23 Feb 2016 @ 3:50pm
  
  Re: Responsible Rounter Configuration
  With any luck folks will assume Rounter is what it is meant to be, Router.
  
  Hmm, spell check in the subject box, a concept for the future.
  [ link to this | view in chronology ]
- Anonymous Coward, 24 Feb 2016 @ 5:25am
  
  Re: Responsible Rounter Configuration
  "Even if they leave Port 80 open"
  
  Solicited traffic can go through the firewall on all ports. and users don't access the Internet through their port 80, more like a random port (that's higher). Port 80 is accessed through the web server's port 80. Someone setting up a webserver would have to do a port forward but that's already the case and if you are setting up a web server you should know how to do that.
  [ link to this | view in chronology ]
  - Anonymous Coward, 24 Feb 2016 @ 5:31am
    
    Re: Re: Responsible Rounter Configuration
    (and port 80 is usually designated for unencrypted web traffic)
    [ link to this | view in chronology ]
  - John Fenderson (profile), 24 Feb 2016 @ 6:21am
    
    Re: Re: Responsible Rounter Configuration
    "Solicited traffic can go through the firewall on all ports."
    
    This is another problem. Firewall configurations tend to assume that any traffic coming from inside the firewall is trustworthy -- and it's not. Automatically allowing solicited traffic through is a security problem.
    
    In my home LAN, this is not automatically true. All traffic is blocked, solicited or otherwise, unless I specifically tell the firewall it's permitted.
    [ link to this | view in chronology ]
    - Anonymous Coward, 24 Feb 2016 @ 7:12am
      
      Re: Re: Re: Responsible Rounter Configuration
      This is a huge hassle and especially for your average user.
      [ link to this | view in chronology ]
    - Anonymous Coward, 24 Feb 2016 @ 7:17am
      
      Re: Re: Re: Responsible Rounter Configuration
      and, really, if you have malware/trojans/viruses/infections on your personal computer or home network or untrusted traffic coming from your own computer or home network then you have bigger issues.
      
      Someone tech savvy and conscientious enough to go through the hassle of doing what you do is probably not someone that has malware on their home network so they probably have little reason to do all that mess regardless.
      
      The person that does have have malware on their PC or home network isn't going to be the type of person that will be able to manage their firewall the way you do.
      [ link to this | view in chronology ]
Victor David, 23 Feb 2016 @ 3:49pm

Huawei Router
When I switched providers recently, I received an Huawei HG8245H. It has 2 admin users, both with well-known default credentials. One of the users cannot be changed. The really bad part though is that, by default, the router lets you access its administrative functions from the internet side. I didn’t know that at first and within a day or two, I discovered various logins from the other side of the planet. I reset the device (b/c I didn’t know what might have been changed) and then turned off this “feature”, but my god what negligence on the part of Huawei. Most customers aren’t going to ever check anything and meanwhile, all the bad actors know that this model (which is widely deployed on my ISP) is entirely accessible.
[ link to this | view in chronology ]
teka, 23 Feb 2016 @ 9:54pm

They can ding a company for being a bit rubbish on devices that come in a box labeled "secure" but the FTC is too busy to notice the massive crater strewn with broken and misused claims by internet providers?
[ link to this | view in chronology ]
That Anonymous Coward (profile), 24 Feb 2016 @ 1:57am

The lowest common idiot...
Is it easier to have the login password default admin/admin or to pay to have someone walk a technophobic customer through resetting the machine & then trying to puzzle out the configuration they can't remember?
We printed it in a manual that they should change it, it is no longer our fault.

More time is spent offering a better mousetrap than making sure the mounsetrap can't break the owners fingers. It is a race to add more bells & blinkie lights, rather than a well designed secure box. Far to many end users assume these magic boxes have been vetted & are secure. Blissfully ignorant that they have some responsibilities to keep them secure also.

Buzzwords sell, not security. There are only a few researchers looking, we can be onto the next generation before they even think about testing our thing to see if its broken.
Look at the list of things they have shown are broken.... now count how many of them resulted in anything other than a little bad PR.
The FTC doing something is uncommon and even when they do I'm sure in 3 months we'll be talking about the next stupid company who did these exact same things... and how very little will happen to them.

Perhaps it is time to stop buying the router that also is a toaster & disco ball and ask for the one that had an independent review of its security.
[ link to this | view in chronology ]
Mason Wheeler (profile), 24 Feb 2016 @ 8:04am

The complaint also highlights a number of other design flaws that exacerbated these vulnerabilities, including the fact that the company set – and allowed consumers to retain – the same default login credentials on every router: username “admin” and password “admin”.

This is one of the things I like about WordPress. It actually allows me to set my login name to something different from the name displayed as the author of the posts I write. I run WordFence (a security plugin) and it gives me periodic reports on failed login attempts. People try stuff like "admin" and my author name all the time, but never once have I seen an attempt to log in with my actual login name.
[ link to this | view in chronology ]
Michael (profile), 24 Feb 2016 @ 2:01pm

this wont change anything
I doubt that the FTC action will change anything.

For example, Eero just released new routers and they are being written up on many tech sites. Not one of these reviews will say anything about the security of the devices. They may mention the self-updating firmware in passing, but thats it. All any tech site cares about when it comes to routers is WiFi speed and range.

Anyone interested can read up on router security at my www.RouterSecurity.org site. Its not finished...
[ link to this | view in chronology ]
Anonymous Coward, 25 Feb 2016 @ 5:45am

So on one hand...
So on one hand, we have the FTC beating ASUS up over poor security on their devices.

On the other hand, we have the FBI beating Apple up over good security on their devices.

What in the fucking fuck?
[ link to this | view in chronology ]
Anonymous Coward, 25 Feb 2016 @ 3:23pm

To make the routers safer, ASUS should change the login to Secure/Secure.
[ link to this | view in chronology ]