On Tuesday, the Federal Trade Commission (FTC) announced a decision to require network hardware manufacturer Asus to provide and maintain a comprehensive security program for the next 20 years and also be subject to audits. The action stems from a remote attack on Asus routers in February 2014.
“Routers play a key role in securing those home networks, so it’s critical that companies like Asus put reasonable security in place to protect consumers and their personal information,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection.
In the 2014 attack, owners of the compromised devices received a message on their computers that read “This is an automated message being sent out to everyone effected [sic]. Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection.” The complaint following said that the hardware manufacturer failed to protect consumers as required by federal law.
According to Ars Technica, Asus password protection was often easy to bypass, either by supplying a vulnerable router with a special URL that was supposed to be accessed only after credentials were entered or by exploiting cross-site request forgery or cross-site scripting vulnerabilities. FTC attorneys also challenged password advice provided in Asus manuals, which in one case suggested users secure files accessible on a router with the user name of “family” and an identical password.
The complaint alleged that at least one of the 300,00 compromised routers resulted in identity fraud.
The FTC said further in its announcement that Asus had failed to perform proper testing of its devices, although it could argued that other router vendors might be equally negligent in this regard.