ASUS case suggests 6 things to watch for in the Internet of Things

ASUS case suggests 6 things to watch for in the Internet of Things

The router is Grand Central Station for home technology. It manages the connections between all of the smart devices in the home, from the computer in the den and tablet on the coffee table, to the smart thermostat on the wall and internet-connected baby monitor in the nursery. Consumers expect that route to be a limited access highway with the router forwarding data securely while blocking unauthorized access. But an FTC complaint against tech giant ASUSTeK Computer, Inc. – most people know them as ASUS – challenges as unfair and deceptive the company’s failure to secure the routers and “cloud” services it marketed to consumers. The case also offers insights for other businesses entering the Internet of Things.

How ASUS advertised its products.  ASUS advertised that its routers had numerous security features that could “protect computers from any unauthorized access, hacking, and virus attacks” and “protect [the] local network against attacks from hackers.” But according to the FTC, ASUS’s routers didn’t live up to those promises. What’s more, the company’s routers included services called AiCloud and AiDisk that allowed consumers to plug a USB hard drive into the router to create their own “cloud” storage, accessible from any of their devices – a kind of central storage hub for the smart home. While ASUS advertised these services as a “private personal cloud for selective file sharing” and a way to “safely secure and access your treasured data through your router,” the FTC alleges they were anything but secure.

Where ASUS went wrong with its routers.  Despite the router’s vital role in protecting the home network, the FTC says ASUS didn’t take basic steps to secure the software on its routers. For example, consumers managed the router (including those security features) through a web-based interface we’ll call the admin console. But by exploiting pervasive security bugs in the admin console, hackers could change the router’s security settings – even turning off the router’s firewall, flipping on public access to the consumer’s “cloud” storage, or configuring the router to redirect consumers to malicious websites. In fact, one exploit campaign that specifically targeted numerous ASUS router models did just that, reconfiguring vulnerable routers so hackers controlled consumers’ web traffic. As the complaint alleges, far from protecting consumers’ home networks, ASUS’s routers let hackers wreak havoc on them.

ASUS’s insecure “cloud” services.  ASUS’s “cloud” storage services weren’t secure either. According to the FTC, anyone who knew the router’s IP address – a walk in the park for a hacker – could bypass the AiCloud service’s login screen and access consumers’ storage devices without any credentials, leaving consumers’ files wide open on the internet. AiDisk didn’t fare much better. The FTC took issue with that service for relying on an insecure protocol and having a confusing set-up process with insecure defaults. For example, when consumers turned on the service, by default, it would provide anyone on the internet with unauthenticated access to all of the files on the consumer’s storage device. Worse yet, the setup wizard didn’t explain those defaults and didn’t make it clear what was going on. Not to mention that if the consumer tried to create a restricted account, the service preset the login credentials to the same weak username and password (Family/Family) for everyone. All of these security vulnerabilities and design flaws amounted to big trouble for consumers.

ASUS’s delayed response and failure to notify consumers.  The FTC says that ASUS could have prevented many problems if it had followed well-known, secure software design, coding, and testing practices. What’s more, security researchers had contacted ASUS to sound warnings, but it often took months – and sometimes over a year – for ASUS to respond.  For example, when one researcher reported that by his estimate, 25,000 consumers had AiDisk storage devices openly accessible on the internet, it was crickets from ASUS. In fact, it was only after a plea from a large European retailer that ASUS started to pay attention to that problem. By then, it was too late.

Even more troubling, alleges the FTC, is that when ASUS developed security patches, it didn’t notify consumers. The router’s admin console had a tool that was supposed to let people check if their router was using the latest available firmware (the software built into the router). But as researchers warned ASUS, the upgrade tool wasn’t working as it should. According to the complaint, more than a year went by and consumers were still getting the message that their “router’s current firmware is the latest version” when newer firmware with critical security updates was available.

Thousands of compromised routers. This meant that ASUS’s routers and “cloud” services left consumers’ home networks and personal files at the mercy of hackers and identity thieves. You can guess what happened next. Hackers used tools to locate the IP addresses of thousands of vulnerable ASUS routers and that’s where the story gets really interesting. Exploiting AiCloud’s vulnerabilities and AiDisk’s design flaws, they gained unauthorized access to the USB storage devices of thousands of consumers. But they didn’t come and go quietly. They left a text file on the devices that said, “This is an automated message being sent out to everyone effected [sic]. Your Asus router (and your documents) can be accessed by anyone in the world with an internet connection.”

ASUS’s security claims may have been deceptive, but one thing turned out to be true: the hackers’ warning that consumers’ routers and documents were accessible to anyone in the world. For example, one consumer reported that ID thieves used sensitive information on his USB storage device, including tax returns and other financial data, to rack up unauthorized charges and make a mess of his identity. Others complained that a major search engine had indexed the personal files their vulnerable ASUS routers had exposed, making them searchable online.

The FTC’s complaint.  The lawsuit challenges as false or misleading ASUS’s claims that it took reasonable steps to ensure its routers protected consumers’ local networks from attack, that AiCloud and AiDisk were secure ways for people to access sensitive information, and that its firmware upgrade tool was accurate. The complaint also alleges that ASUS’s failure to take reasonable steps to secure software for its routers was an unfair practice.

How ASUS will have to change.  The proposed order includes security provisions that have become standard in FTC settlements, but there’s something else. If there’s a software update or other steps consumers can take to protect themselves from a security flaw in the future, ASUS must notify them. Importantly, the settlement makes it clear that merely posting a notice on its website isn’t enough on its own. (Who goes to their router manufacturer’s website regularly?) In addition, the proposed order requires that ASUS offer consumers a way to register to receive security notices through direct communication, like email, text message, or push notification. In the Internet of Things, where consumers often “set it and forget it,” these types of direct communications can be critical tools in making sure consumers get the message. You can file a comment about the settlement by March 24, 2016.

If the Internet of Things intrigues your company, the case offers six tips for maintaining careful connections.

  1. Start with security.  While ASUS’s routers suffered from a host of classic vulnerabilities, the problem with AiDisk went beyond bugs or glitches. According to the complaint, it was unsafe from the get-go both in the company’s choice of an insecure protocol and in its confusing and insecure user interface. Yes, you want to get your product to market ASAP, but take the time to design security in at the outset. That’s a particularly important consideration in the Internet of Things where the insecure design of one product can affect multiple connected devices.
  2. Design your products through customers’ eyes.  If you sell a connected product for home use, customers are likely to run the gamut from newbie to pro. So how can developers communicate with people at both ends of the spectrum? Here’s a perspective to consider. Less tech-savvy consumers often complain about products that are too complicated. But have you ever heard a sophisticated user grumble that an interface was too clear or too straight-forward?
  3. Make it easy for people to select the safer option from the start.  Pay particular attention to the security implications of your defaults and set-up procedures. Consumers who get discouraged by a complicated maze of screens may configure their devices improperly or may stick with out-of-the-box choices. That’s why it’s dangerous to set your system defaults as “open” – or insecure, as was the case with AiDisk. It’s great to offer customizable features for the technology dab hand, but wise developers consider the benefits of security by default.
  4. Heed security warnings. In many recent cases, the FTC has noted that companies didn’t address credible alerts about potential product vulnerabilities. When security issues come to your attention, the wiser course is to investigate and reach out to customers immediately if the concerns prove accurate.
  5. Think through how you’ll let consumers know about fixes. Say someone spots a problem and you design a patch to address it. That’s an important first step, but the job’s not done. A security patch is effective only if customers install it. Far-sighted developers build in a what-if contingency plan to address the challenges of notifying people after the fact.
  6. Learn the lessons from other FTC cases. According to the FTC’s Start with Security publication, there’s no one-size-fits-all formula for what’s reasonable. But every data security complaint offers lessons about practices that could lead to trouble in certain circumstances. Paragraph 30 of the ASUS complaint recaps dozens of them, including weak default login credentials, choosing insecure protocols when safer ones are readily available, skipping industry-accepted testing, and failing to implement low-cost protections against well-known vulnerabilities.