FTC Dings ASUS For Selling 'Secure' Routers That Shipped With Default Admin/Admin Login (And Other Flaws)
from the wherein-a-personal-'AiCloud'-is-really-'Anyone'sCloud' dept
The FTC has stepped up to smack ASUS down for selling "secure" routers that were about as impregnable as a child's couch fort.
[A]ccording to the complaint, hackers could exploit pervasive security bugs in the router’s web-based control panel to change any of the router’s security settings without the consumer’s knowledge. A malware researcher discovered an exploit campaign in April 2015 that abused these vulnerabilities to reconfigure vulnerable routers and commandeer consumers’ web traffic.That's not all. ASUS's security "best practices" apparently included credentials pulled from annual "Worst Passwords" lists.
The complaint also highlights a number of other design flaws that exacerbated these vulnerabilities, including the fact that the company set – and allowed consumers to retain – the same default login credentials on every router: username “admin” and password “admin”.This, unfortunately, isn't just an ASUS problem. Far too many devices, whether marketed to home users or professionals, ship with terrible default credentials and very few of them demand the end user alter the login before putting the product to use.
As for ASUS, the list of insecurities goes on and on.
According to the complaint, ASUS’s routers also featured services called AiCloud and AiDisk that allowed consumers to plug a USB hard drive into the router to create their own “cloud” storage accessible from any of their devices. While ASUS advertised these services as a “private personal cloud for selective file sharing” and a way to “safely secure and access your treasured data through your router,” the FTC’s complaint alleges that the services had serious security flaws.ASUS's insecure products are no different than countless others offered by competitors. Far too many companies view end user security as something that can always be patched into existence after the first big breach. Why the FTC has chosen to hang ASUS rather than any number of other misbehaving tech manufacturers isn't clear, but it could be this is just the first in a wave of settlements.
For example, the complaint alleges that hackers could exploit a vulnerability in the AiCloud service to bypass its login screen and gain complete access to a consumer’s connected storage device without any credentials, simply by accessing a specific URL from a Web browser. Similarly, the complaint alleges that the AiDisk service did not encrypt the consumer’s files in transit, and its default privacy settings provided – without explanation – public access to the consumer’s storage device to anyone on the Internet.
The FTC isn't just unhappy about ASUS's bogus security claims. It's also unhappy with the company's response time. The complaint notes ASUS failed to act quickly in response to reported security holes.
In June 2013, a security researcher publicly disclosed that, based on his research, more than 15,000 ASUS routers allowed for unauthenticated access to AiDisk FTP servers over the internet. In his public disclosure, the security researcher claimed that he had previously contacted respondent about this and other security issues. In November 2013, the security researcher again contacted respondent, warning that, based on his research, 25,000 ASUS routers now allowed for unauthenticated access to AiDisk FTP servers. The researcher suggested that respondent warn consumers about this risk during the AiDisk set up process. However, ASUS took no action at the time.Because of this, ASUS is going to spend the next two decades maintaining a "comprehensive security program" subject to independent audits. An FTC official's statement suggests the agency's settlement with ASUS carries symbolic weight as well -- the mounting of ASUStek's head on a pike as a warning to the ever-expanding Internet of Easily-Compromised Things.
[...]
It was not until February 2014 – following the events described in Paragraph 32 [the posting of text files to unsecured end user USB devices by the hackers who discovered the flaw] – that respondent sent an email to registered customers notifying them that firmware updates addressing these security risks and other security vulnerabilities were available. Furthermore, it was not until February 21, 2014 that ASUS released a firmware update that would provide some protection to consumers who had previously set up AiDisk. This firmware update forced consumers’ routers to turn off unauthenticated access to the AiDisk FTP server.
“The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.”Hopefully, ASUS will build better, safer products in the future because of this. But considering this settlement comes two years after ASUS's eight-month delayed reaction to notifications it received in June of 2013, users are still better off taking security in their own hands, rather than waiting for companies or regulatory agencies to intercede on their behalf.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
"Cloud"
[ link to this | view in chronology ]
Re: "Cloud"
[ link to this | view in chronology ]
Re: "Cloud"
[ link to this | view in chronology ]
Personal Responsibility
While the new firewall does not make you change the default password, it does nag you until you do.
[ link to this | view in chronology ]
Re: Personal Responsibility
[ link to this | view in chronology ]
Re: Re: Personal Responsibility
Isn't that supposed to be a question?
Perhaps it's a design flaw. :)
[ link to this | view in chronology ]
Re: Re: Re: Personal Responsibility
Yes, most likely a design flaw in me.
[ link to this | view in chronology ]
Re: Re: Personal Responsibility
You could get up for another cup of coffee, re-read your words one last time, and then hit submit. But that would slow the conversation down.
[ link to this | view in chronology ]
Re: Personal Responsibility
I understand why they might not want to implement this, as future breaches would be almost solely their responsibility, rather than the end user's.
[ link to this | view in chronology ]
Re: Re: Personal Responsibility
[ link to this | view in chronology ]
Re: Re: Personal Responsibility
I'd bet you real money that if they made the username/password something like &^%^JBSFJBIREUYT*(&R#YT*&R#YT$AY/*()&*FDJNFKJDBFIT$#^*&T#*^T%*, people would change it the very first instant they can! ... unfortunately to something like ADMIN/ADMIN. ;) :D
[ link to this | view in chronology ]
Re: Re: Personal Responsibility
There are plenty of unique IDs on each device that could be used to generate a password, MAC addresses, Serial Numbers, etc.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Still the only router software that I've ever seen that requires setting the password. All others, professional or residential, have default passwords that can be found by a simple Google search.
[ link to this | view in chronology ]
Responsible Rounter Configuration
Even if they leave Port 80 open so that people could at least connect to the Internet and try to look up a solution, the complaints will fall around my email doesn't work, my game doesn't connect, your router sux big time, where are my instant messages?, etc.
No amount of instruction will help the average user. Just finding out what ports to open and when is beyond the average user. Then try to get them to understand UDP vs TCP and whether in or out for either is correct, which depends upon the application. Maybe a script could be written that asks sensible questions and does the right thing, but I have yet to see it. Windows firewall had something like that, but it opened things without my permission and against my will as well, so that doesn't answer.
My ISP provided router has a firewall, and it has about 50 settings for games from the last decade or so set to open, when I don't have any of those games. So I have to go through and close them all, and in that process I run into things I have never heard of, and I have been building my own computers since the early 90's and have a higher than average capability (I am NOT however claiming to actually be a competent tech, just an experienced user).
Computer security needs to be better. We should have started with the OS's, but we didn't. We should have included the Internet, but we didn't. We should have standards that manufacturers should follow, but they are suggestions not requirements. There should be a way for the less than average user to get their machine configured for the things they want to do, but we are too busy building the latest and greatest to make the existing more readily usable.
There is no cost effectiveness in making the existing better. The cost effectiveness is in selling users more stuff.
[ link to this | view in chronology ]
Re: Responsible Rounter Configuration
Hmm, spell check in the subject box, a concept for the future.
[ link to this | view in chronology ]
Re: Responsible Rounter Configuration
Solicited traffic can go through the firewall on all ports. and users don't access the Internet through their port 80, more like a random port (that's higher). Port 80 is accessed through the web server's port 80. Someone setting up a webserver would have to do a port forward but that's already the case and if you are setting up a web server you should know how to do that.
[ link to this | view in chronology ]
Re: Re: Responsible Rounter Configuration
[ link to this | view in chronology ]
Re: Re: Responsible Rounter Configuration
This is another problem. Firewall configurations tend to assume that any traffic coming from inside the firewall is trustworthy -- and it's not. Automatically allowing solicited traffic through is a security problem.
In my home LAN, this is not automatically true. All traffic is blocked, solicited or otherwise, unless I specifically tell the firewall it's permitted.
[ link to this | view in chronology ]
Re: Re: Re: Responsible Rounter Configuration
[ link to this | view in chronology ]
Re: Re: Re: Responsible Rounter Configuration
Someone tech savvy and conscientious enough to go through the hassle of doing what you do is probably not someone that has malware on their home network so they probably have little reason to do all that mess regardless.
The person that does have have malware on their PC or home network isn't going to be the type of person that will be able to manage their firewall the way you do.
[ link to this | view in chronology ]
Huawei Router
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The lowest common idiot...
We printed it in a manual that they should change it, it is no longer our fault.
More time is spent offering a better mousetrap than making sure the mounsetrap can't break the owners fingers. It is a race to add more bells & blinkie lights, rather than a well designed secure box. Far to many end users assume these magic boxes have been vetted & are secure. Blissfully ignorant that they have some responsibilities to keep them secure also.
Buzzwords sell, not security. There are only a few researchers looking, we can be onto the next generation before they even think about testing our thing to see if its broken.
Look at the list of things they have shown are broken.... now count how many of them resulted in anything other than a little bad PR.
The FTC doing something is uncommon and even when they do I'm sure in 3 months we'll be talking about the next stupid company who did these exact same things... and how very little will happen to them.
Perhaps it is time to stop buying the router that also is a toaster & disco ball and ask for the one that had an independent review of its security.
[ link to this | view in chronology ]
This is one of the things I like about WordPress. It actually allows me to set my login name to something different from the name displayed as the author of the posts I write. I run WordFence (a security plugin) and it gives me periodic reports on failed login attempts. People try stuff like "admin" and my author name all the time, but never once have I seen an attempt to log in with my actual login name.
[ link to this | view in chronology ]
this wont change anything
For example, Eero just released new routers and they are being written up on many tech sites. Not one of these reviews will say anything about the security of the devices. They may mention the self-updating firmware in passing, but thats it. All any tech site cares about when it comes to routers is WiFi speed and range.
Anyone interested can read up on router security at my www.RouterSecurity.org site. Its not finished...
[ link to this | view in chronology ]
So on one hand...
On the other hand, we have the FBI beating Apple up over good security on their devices.
What in the fucking fuck?
[ link to this | view in chronology ]
[ link to this | view in chronology ]