These are the words of Jessica Rich, the Director of the Federal Trade Commission’s (FTC) Bureau of Consumer Protection as part of a release detailing the resolution of the FTC’s settlement with Asus over their sale of consumer routers that had major security flaws.
Saying that home routers have security flaws is really nothing new, our website details many of them. What is new and groundbreaking is the fact that the issue has reached the levels that it has, and that a major vendor is being punished for behavior that until now has simply been viewed as “that’s how everyone in this industry does business”.
The complaint that caused the FTC to take notice detailed an incident in 2014 where Asus routers were responsible for allowing hackers to access people’s personal data due to poor security. The problem stemmed from services called AiCloud and AiDisk which allowed users to plug a hard drive into the router to make files accessible to other connected devices. The poor security surrounding these features as well as the cloud service that Asus offered didn’t stop hackers from not only accessing people’s files, but also leaving their own file behind that celebrated the attack.
The proposed punishment for Asus includes a 20 year period in which all of their software must be inspected by security experts. They’ll also need to set up a mechanism to promptly alert users to known problems as well as security fixes.
Here at RouterCheck, we say “It’s about time!”. We’re happy to see home router security being taken seriously at such a high level. Unfortunately, despite the advancements that were made due to this decision, there still exist some real hurdles to home router security. Our data shows that home router security problems that can be traced to poor vendor practices is small as compared to the security problems caused by consumers who don’t properly configure their devices. Despite the warnings, people still leave a default administrator password. This is why we’ve been proponents for providing consumers with a third-party testing tool to allow them to see where the real security problems in their home networks are and how they can be fixed. We believe that this will allow consumers to take charge of their own home network security and be mindful that their router is also a computer that needs to be protected.