ASUS Router Security Claims Mislead Consumers: FTC

(February 23, 2016) The maker of ASUS home routers deceived customers when it claimed the devices could protect consumers’ local networks from attack. Instead, the company failed to employ reasonable security practices causing “substantial injury” to consumers, the Federal Trade Commission (FTC) found.

ASUSTeK Computer, Inc., has agreed to an FTC consent order that requires the company to establish a comprehensive security program and notify customers about software updates and other steps they can take to protect themselves from the router’s flaws.

Routers forward data packets along a network. Consumer routers also function as a hardware firewall for the local network.

According to the FTC complaint, ASUS “marketed its routers as including security features such as ‘SPI intrusion detection’ and ‘DoS protection,’ advertised that its routers could ‘protect computers from any unauthorized access, hacking, and virus attacks’ and instructed consumers to ‘enable the [router’s] firewall to protect your local network against attacks from hackers.’”

The FTC found because ASUS represented its routers could protect consumers’ local networks and that its AiCloud and AiDisk features were secure when they were not, the company made false or misleading representations in violation of federal law.

To set the security settings, consumers had to log onto the router’s interface. ASUS set the username and password as “admin,” so anyone online getting access to the router would know the password if it had not been reset.

In addition, ASUS marketed features call AiCloud and AiDisk to allow users to plug in UBS storage devices to create “a private personal cloud.”  The default setting for the program was “limitless access rights.” To set up more restrictive access, the consumer had to deviate from the default setting.

The FTC found that a security researcher warned ASUS of the router’s vulnerabilities. Some hackers exploited the routers and left messages on the files to consumers about the vulnerability. Some ASUS customers “complained that a major search engine had indexed the files that the vulnerable routers had exposed, making them easily searchable online. Others claimed to be the victims of related identity theft,” the complaint said.

The FTC found ASUS failed to perform security architecture and design reviews of its software, perform vulnerability and penetration testing, and implement readily available, low-cost protections against well-known and reasonably foreseeable vulnerabilities. Moreover, when some customers attempted to upgrade the software by going to the ASUS site, the upgrade was not made because the company failed to update its upgrade list.

This case demonstrates again that companies must be able to substantiate their marketing claims and that the FTC will protect consumers who are injured because of security flaws. The case also is a reminder to consumers not to accept default settings on devices connected to the internet because default settings are generally known and easily exploited.