Taiwanese hardware manufacturer Asus has agreed to settle Federal Trade Commission charges, the Commission reported on Tuesday. Back in 2014, it was discovered that Asus' routers had poor security protocols, putting hundreds of thousands of users' data at risk.
Under the settlement, Asus will have to establish and maintain a comprehensive security program, subject to independent audits for the next 20 years. The FTC said the vulnerabilities allowed attackers to gain access to at least 12,900 routers.
“The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks’, Jessica Rich, director of the FTC’s Bureau of Consumer Protection said in a written statement.
“Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.”
Back in 2014, thousands of Asus routers were compromised, and whoever did it, left a text file on the device, explaining what happened.
“Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection”, the good Samaritan hacker told the owners.
The complaint said that Asus password protection was often too easy to bypass, using a couple of techniques, including the specially crafted URL that was supposed to be accessed only after logging in, or by exploiting cross-site request forgery, to name a few.
The Commission alleges that ASUS did not address these security flaws on time, and failed to notify its users about the risks these vulnerable routers pose.