Smoking Asus? FTC charges tech vendor for vulns in routers

Hundreds of thousands of customers have been put at risk due to critical security flaws in the routers and cloud computing services offered by Taiwan-based tech vendor, Asus.

According to Security Week, Asus has agreed to settle charges put forth by the US Federal Trade Commission (FTC) that claim the company has failed to secure the security features in its routers as they had serious vulnerabilities that allowed cyber-criminals to compromise devices.

Another issue pointed out by the FTC is that Asus often ignored vulnerability reports received from security researchers, and did not notify customers when security patches were available.

Asus routers also featured AiCloud and AiDisk that let users plug a USB hard drive into the router to create their own cloud storage service that they could access from any of their other devices. These services also contained vulnerabilities that allowed malicious attackers easy access to user files.

The settlement will require Asus to establish and maintain a comprehensive security programme subject to independent audits for the next 20 years. The company will also have to ensure that customers can sign up for security notifications that will inform them about firmware updates and provide instructions on how to protect themselves against possible attacks.

Jessica Rich, director of the FTC's Bureau of Consumer Protection, said in a statement that millions of consumers are connecting new IoT smart devices to their home networks, and router security is important. “It's critical that companies like Asus put reasonable security in place to protect consumers.”