Asus is going to “establish and maintain a comprehensive security program subject to independent audits for the next 20 years” as part of the settlement, according to an FTC statement.
Security on Asus routers was so bad in 2014 that hackers felt sorry for the company’s customers, and left messages on thousands of computers warning them about the exploit.
“This is an automated message being sent out to everyone effected,” the message read. “Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection.”
And that wasn’t the only problem. To list just a few things:
- Hackers could access and change the router’s configuration page without much effort.
- Every device had the same login credentials, by default: username “admin” and password “admin,” and little was done to get users to change these.
- In many cases accessing all files shared on a network was as simple as typing the external IP into a browser. Nothing was encrypted.
The FTC’s statement about this case makes it clear that every company making products accessible over the Internet will be held responsible for securing those products.
“The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “Routers play a key role in securing those home networks, so it’s critical that companies like Asus put reasonable security in place to protect consumers and their personal information.”
The FTC seems to be going out of its way to talk about Internet of Things security lately. In January, it issued a report stating that connected devices should limit how long they store information as a security precaution. Mentioning these concerns again as part of this settlement means the government agency is watching companies closely, and will hold them accountable for any bugs.
