Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

FTC Dings ASUS For Selling 'Secure' Routers.

Discussion in 'ASUS Wireless' started by andyg, Feb 23, 2016.

  1. andyg

    andyg Occasional Visitor

    Joined:
    Mar 1, 2014
    Messages:
    15
  2. Nullity

    Nullity Very Senior Member

    Joined:
    Jul 17, 2014
    Messages:
    1,551
    Location:
    Appalachia
    Why is the FTC posting sensationalist crap for the casual user?

    One of their pointers is "Don’t just click “next” during the set-up process."... Thanks for the tip.

    Is this some political smear campaign? Every company has released vulnerable software...


    Seriously, the actual complaint pdf cites zero commonly accepted security/exploit databases in any of the individual issues.

    Is there something I am missing?
     
    joltdude likes this.
  3. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    21,318
    Location:
    Canada
    My guess is, somebody filed a formal complain (maybe a competitor? Wouldn't be the first time...), which forced the FTC to investigate. But a 20 years-long mandatory audit? Seriously?! This looks almost like an April's Fool. Anyone can quote any precedent that would match such results?

    It's even more silly considering that other manufacturers out there have been caught DELIBERATELY introducing backdoors in their products, and they never got slapped, punished, or audited for it. Those backdoored products should have gotten far more attention than Asus's inability to properly secure their products, as they were the conscious work of their developers, not just failure to properly code/design a secure product.
     
    maylyn, wiz, andyg and 2 others like this.
  4. Ken Firch

    Ken Firch Occasional Visitor

    Joined:
    Jan 20, 2016
    Messages:
    14
    Looks like ASUS is going to have to endure frequent audits of its router security.

    https://www.techdirt.com/articles/2...h-default-admin-admin-login-other-flaws.shtml

    Hopefully this extra effort required by ASUS to appease the Feds won't impact its creativity or ability to deliver great products. Seems to me they are being punished because they didn't force users to take obvious steps to protect their own network. But their slow response didn't help either.
     
  5. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    6,803
    http://www.snbforums.com/threads/fork-update-for-374-43-available-v16e1.18914/page-160#post-240605

    This doesn't deserve it's own thread. (Opinion).
     
  6. Nullity

    Nullity Very Senior Member

    Joined:
    Jul 17, 2014
    Messages:
    1,551
    Location:
    Appalachia
    Newsflash: No software is perfect.


    The more interesting thing is why the FTC is even doing this... I casually follow security and Asus does not deserve this.

    Regarding the "slow response"; if the FTC's pdf and related posts are an accurate representation of their technical understanding, I would disregard the requests as well. Hopefully some useful stuff will be presented by the FTC, otherwise this primarily embarasses the FTC for their short-sighted investigating, in my opinion.
     
  7. Advis

    Advis Occasional Visitor

    Joined:
    Jan 6, 2013
    Messages:
    25
    Respectfully I have to disagree. They have been slapped because their advertising claims that the various features are secure despite some flaws that ASUS haven't adequately handled.

    There are a number of serious flaws identified by the FTC outside the common default password behaviour including not encrypting AiDisk files in transit and a credential bypass flaw in AiCloud. To compound these the update check was found to be not working properly and there is no mailing list that a user can sign up to in order to be reasonably informed of such flaws. This then lead to a situation where 'In February 2014, hackers used readily available tools to locate vulnerable ASUS routers and exploited these security flaws to gain unauthorized access to over 12,900 consumers’ connected storage devices'.

    According the article I read on The Register ASUS were found to be NOT conducting any kind of penetration testing for their products which I suppose will be in the original complaint.

    I do believe this ruling is fair. I am not saying that ASUS are more deserving of attention that any other router manufacturer and I accept that others will probably be found to have similar issues.
     
    zoomee, joegreat and Nullity like this.
  8. Ronv42

    Ronv42 Senior Member

    Joined:
    Jul 31, 2014
    Messages:
    272
    The FTC picks targets based on what? I think it's more politics and posturing vs. doing what is right for us the consumer. Cronies infiltrate these organizations at the federal level and push agendas.
     
  9. Nullity

    Nullity Very Senior Member

    Joined:
    Jul 17, 2014
    Messages:
    1,551
    Location:
    Appalachia
    The AiCloud thing is probably worthy of complaint, but from a security stand-point, using any made-by-manufacturer/brand, proprietary cloud service, rather than established protocols/services is ill-advised. Even "good" cloud services have privacy issues. That is no excuse for sub-par security, but buyer beware...

    I just do not see the justification. I would focus on the most impactful vector, like perhaps using the funds spent on this to donate to an OpenSSL security audit, or criticize any of the recent, huge privacy leaks from large corporations that literally impacts millions of people/Americans.
     
  10. thiggins

    thiggins Mr. Easy Staff Member

    Joined:
    May 18, 2008
    Messages:
    11,697
    This is not cross posting. It's a valid post. Please leave moderation to me.

    Ken, please feel free to make similar posts in the future.
     
    mike2h and L&LD like this.
  11. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    21,318
    Location:
    Canada
    I have moved the related posts from the other thread into this one.
     
  12. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    6,803
    No problem, I wasn't moderating. As my post suggested; 'opinion'.

    Thanks for the clarification.
     
  13. 3dguru

    3dguru Occasional Visitor

    Joined:
    Mar 27, 2014
    Messages:
    43
    Location:
    Toronto
    FTC works like FDA, WHO or any other organization which "works" for the consumer public.

    Have you ever heard FDA making bold suggestions about cheap/free natural products for any health concern? Do you really think only patent-able chemically changed products can help people? This is not rocket science, any preschooler can think about it, but seems like nobody really cares.

    Unfortunately those organizations are not for public interest, just for themselves, governments ("economies"), and therefore for the highest bidder.

    ASUS seems to be not handling their interest as they want to.
     
    geo44 likes this.
  14. avtella

    avtella Regular Contributor

    Joined:
    Oct 8, 2015
    Messages:
    162
    Location:
    USA
    As the author in Ken's link says other manufacturers have similar issues and this may just be the beginning of many settlements, I also think it will slowly move to other manufacturers as well.
     
  15. AntonK

    AntonK Occasional Visitor

    Joined:
    Apr 10, 2015
    Messages:
    49
    For those of you who may be of the left-of-center political orientation, well, this is what MORE government looks like in you lives.
     
  16. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    21,318
    Location:
    Canada
    I hope they do, because some others did far worse IMHO, such as shipping code that contained known backdoors.

    Here's a collection of references to other companies who should, IMHO, be equally (if not more severely when it involves actual backdoor code) be punished.

    http://arstechnica.com/security/201...inksys-routers-with-self-replicating-malware/
    http://www.cio.com/article/2376824/...said-to-leave-backdoor-problem-in-router.html
    https://wiki.openwrt.org/toh/netgear/telnet.console
    http://www.infoworld.com/article/26...oor-found-in-d-link-router-firmware-code.html

    This is of course in addition to the numerous CVE reports that are related to virtually every single home router manufacturers out there.
     
    Nullity, avtella and L&LD like this.
  17. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    21,318
    Location:
    Canada
    Let's not bring politics into this, because this could be a whole debate on its own.
     
    AntonK, avtella and L&LD like this.
  18. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    9,736
    Location:
    San Diego, CA
    They were taken to the woodshed, no doubt - being it was ITC, could very well have been a competitor...

    I don't think this will be the last of it - many vendors in this space have security issues, and let's not forget the non-router network devices (SmartHome, ConnectedCar, QuantifiedSelf, etc...).

    There are a lot of security issues out there - most of them are not intentional, but they're there... it's more how the vendors respond, and there, Asus has done a decent job, at least with current products, and better than many with getting fixes out in a timely manner...

    20 year security audits - that's a bit extreme, IMHO...
     
  19. Nullity

    Nullity Very Senior Member

    Joined:
    Jul 17, 2014
    Messages:
    1,551
    Location:
    Appalachia
    I am pretty sure you are referring to the audit as extreme from a "this is a punishment" perspective (which I agree with), but shouldn't all (popular) software be audited regularly?

    Disregarding the stupid metrics the FTC is using to define a security vuln, I think government funded audits are probably a good thing. The determination of which projects to audit might need some tweaking.


    Auditing closed-source/proprietary code might be a problem because the public cannot participate in any way... Anyone got some links regarding the details of how the FTC audit is done?
     
  20. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    9,736
    Location:
    San Diego, CA
    Security Audits - most companies do run these internally in most cases - having to report the results to the ITC as a result of the order, that's the extreme part..

    Mixed messages from the US Govt these days - between this action (tighten up your security) and the recent other issue where a company locked down devices a bit too tight (in their opinion) - I suppose the take-away/spin here is "put really strong locks on your devices, but give us the master key"
     
    Nullity likes this.

Share This Page