ASUS TeK Computer, Inc. (ASUS) has agreed to settle with the FTC over allegations that “critical security flaws in its routers put the home networks of hundreds of thousands of consumers at risk.” The FTC further alleges that the routers’ insecure cloud services compromised consumers’ connected storage devices, which exposed their information on the Internet.
Consistent with other FTC orders, the consent order with ASUS requires it to develop and maintain a “comprehensive security program subject to independent audits for the next 20 years.”
The allegations by the FTC included information obtained by a malware researcher who discovered vulnerabilities in the routers that gave hackers the ability to get into the router’s web-based control panel and change security settings without the owner’s knowledge. Further, the company allowed users to keep and use default login credentials on every router with the username as “admin” and the password as “admin.” Obviously, not the best security measure.
Finally, the FTC complaint outlines that hackers were able to use tools available on the Internet to locate ASUS routers, exploit the vulnerabilities, and gain access to almost 13,000 consumers’ connected storage devices, exposing their personal information to unauthorized access.
The proposed settlement is open to public comment until March 24, 2016.
As with other settlements and consent orders agreed to by the FTC, lessons can be learned by the facts of this case. The FTC continues to be focused on data security, specifically looking at the Internet of Things, connected devices, and vulnerabilities that can expose consumers’ private information. Companies in this industry might wish to re-examine security measures and address any vulnerabilities that may exist in products.