What's new

FTC Dings ASUS For Selling 'Secure' Routers.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!


Why is the FTC posting sensationalist crap for the casual user?

One of their pointers is "Don’t just click “next” during the set-up process."... Thanks for the tip.

Is this some political smear campaign? Every company has released vulnerable software...


Seriously, the actual complaint pdf cites zero commonly accepted security/exploit databases in any of the individual issues.

Is there something I am missing?
 
Why is the FTC posting sensationalist crap for the casual user?

One of their pointers is "Don’t just click “next” during the set-up process."... Thanks for the tip.

Is this some political smear campaign? Every company has released vulnerable software...


Seriously, the actual complaint pdf cites zero commonly accepted security/exploit databases in any of the individual issues.

Is there something I am missing?

My guess is, somebody filed a formal complain (maybe a competitor? Wouldn't be the first time...), which forced the FTC to investigate. But a 20 years-long mandatory audit? Seriously?! This looks almost like an April's Fool. Anyone can quote any precedent that would match such results?

It's even more silly considering that other manufacturers out there have been caught DELIBERATELY introducing backdoors in their products, and they never got slapped, punished, or audited for it. Those backdoored products should have gotten far more attention than Asus's inability to properly secure their products, as they were the conscious work of their developers, not just failure to properly code/design a secure product.
 
Looks like ASUS is going to have to endure frequent audits of its router security.

https://www.techdirt.com/articles/2...h-default-admin-admin-login-other-flaws.shtml

Hopefully this extra effort required by ASUS to appease the Feds won't impact its creativity or ability to deliver great products. Seems to me they are being punished because they didn't force users to take obvious steps to protect their own network. But their slow response didn't help either.
 
Looks like ASUS is going to have to endure frequent audits of its router security.

https://www.techdirt.com/articles/2...h-default-admin-admin-login-other-flaws.shtml

Hopefully this extra effort required by ASUS to appease the Feds won't impact its creativity or ability to deliver great products. Seems to me they are being punished because they didn't force users to take obvious steps to protect their own network. But their slow response didn't help either.

http://www.snbforums.com/threads/fork-update-for-374-43-available-v16e1.18914/page-160#post-240605

This doesn't deserve it's own thread. (Opinion).
 
Newsflash: No software is perfect.


The more interesting thing is why the FTC is even doing this... I casually follow security and Asus does not deserve this.

Regarding the "slow response"; if the FTC's pdf and related posts are an accurate representation of their technical understanding, I would disregard the requests as well. Hopefully some useful stuff will be presented by the FTC, otherwise this primarily embarasses the FTC for their short-sighted investigating, in my opinion.
 
Respectfully I have to disagree. They have been slapped because their advertising claims that the various features are secure despite some flaws that ASUS haven't adequately handled.

There are a number of serious flaws identified by the FTC outside the common default password behaviour including not encrypting AiDisk files in transit and a credential bypass flaw in AiCloud. To compound these the update check was found to be not working properly and there is no mailing list that a user can sign up to in order to be reasonably informed of such flaws. This then lead to a situation where 'In February 2014, hackers used readily available tools to locate vulnerable ASUS routers and exploited these security flaws to gain unauthorized access to over 12,900 consumers’ connected storage devices'.

According the article I read on The Register ASUS were found to be NOT conducting any kind of penetration testing for their products which I suppose will be in the original complaint.

I do believe this ruling is fair. I am not saying that ASUS are more deserving of attention that any other router manufacturer and I accept that others will probably be found to have similar issues.
 
The FTC picks targets based on what? I think it's more politics and posturing vs. doing what is right for us the consumer. Cronies infiltrate these organizations at the federal level and push agendas.
 
Respectfully I have to disagree. They have been slapped because their advertising claims that the various features are secure despite some flaws that ASUS haven't adequately handled.

There are a number of serious flaws identified by the FTC outside the common default password behaviour including not encrypting AiDisk files in transit and a credential bypass flaw in AiCloud. To compound these the update check was found to be not working properly and there is no mailing list that a user can sign up to in order to be reasonably informed of such flaws. This then lead to a situation where 'In February 2014, hackers used readily available tools to locate vulnerable ASUS routers and exploited these security flaws to gain unauthorized access to over 12,900 consumers’ connected storage devices'.

According the article I read on The Register ASUS were found to be NOT conducting any kind of penetration testing for their products which I suppose will be in the original complaint.

I do believe this ruling is fair. I am not saying that ASUS are more deserving of attention that any other router manufacturer and I accept that others will probably be found to have similar issues.

The AiCloud thing is probably worthy of complaint, but from a security stand-point, using any made-by-manufacturer/brand, proprietary cloud service, rather than established protocols/services is ill-advised. Even "good" cloud services have privacy issues. That is no excuse for sub-par security, but buyer beware...

I just do not see the justification. I would focus on the most impactful vector, like perhaps using the funds spent on this to donate to an OpenSSL security audit, or criticize any of the recent, huge privacy leaks from large corporations that literally impacts millions of people/Americans.
 
Cross posting is not allowed in most forums. I don't see this as being any different?
This is not cross posting. It's a valid post. Please leave moderation to me.

Ken, please feel free to make similar posts in the future.
 
I have moved the related posts from the other thread into this one.
 
This is not cross posting. It's a valid post. Please leave moderation to me.

No problem, I wasn't moderating. As my post suggested; 'opinion'.

Thanks for the clarification.
 
FTC works like FDA, WHO or any other organization which "works" for the consumer public.

Have you ever heard FDA making bold suggestions about cheap/free natural products for any health concern? Do you really think only patent-able chemically changed products can help people? This is not rocket science, any preschooler can think about it, but seems like nobody really cares.

Unfortunately those organizations are not for public interest, just for themselves, governments ("economies"), and therefore for the highest bidder.

ASUS seems to be not handling their interest as they want to.
 
As the author in Ken's link says other manufacturers have similar issues and this may just be the beginning of many settlements, I also think it will slowly move to other manufacturers as well.
 
For those of you who may be of the left-of-center political orientation, well, this is what MORE government looks like in you lives.
 
As the author in Ken's link says other manufacturers have similar issues and this may just be the beginning of many settlements, I also think it will slowly move to other manufacturers as well.

I hope they do, because some others did far worse IMHO, such as shipping code that contained known backdoors.

Here's a collection of references to other companies who should, IMHO, be equally (if not more severely when it involves actual backdoor code) be punished.

http://arstechnica.com/security/201...inksys-routers-with-self-replicating-malware/
http://www.cio.com/article/2376824/...said-to-leave-backdoor-problem-in-router.html
https://wiki.openwrt.org/toh/netgear/telnet.console
http://www.infoworld.com/article/26...oor-found-in-d-link-router-firmware-code.html

This is of course in addition to the numerous CVE reports that are related to virtually every single home router manufacturers out there.
 
For those of you who may be of the left-of-center political orientation, well, this is what MORE government looks like in you lives.

Let's not bring politics into this, because this could be a whole debate on its own.
 
They were taken to the woodshed, no doubt - being it was ITC, could very well have been a competitor...

I don't think this will be the last of it - many vendors in this space have security issues, and let's not forget the non-router network devices (SmartHome, ConnectedCar, QuantifiedSelf, etc...).

There are a lot of security issues out there - most of them are not intentional, but they're there... it's more how the vendors respond, and there, Asus has done a decent job, at least with current products, and better than many with getting fixes out in a timely manner...

20 year security audits - that's a bit extreme, IMHO...
 
...
20 year security audits - that's a bit extreme, IMHO...

I am pretty sure you are referring to the audit as extreme from a "this is a punishment" perspective (which I agree with), but shouldn't all (popular) software be audited regularly?

Disregarding the stupid metrics the FTC is using to define a security vuln, I think government funded audits are probably a good thing. The determination of which projects to audit might need some tweaking.


Auditing closed-source/proprietary code might be a problem because the public cannot participate in any way... Anyone got some links regarding the details of how the FTC audit is done?
 
Security Audits - most companies do run these internally in most cases - having to report the results to the ITC as a result of the order, that's the extreme part..

Mixed messages from the US Govt these days - between this action (tighten up your security) and the recent other issue where a company locked down devices a bit too tight (in their opinion) - I suppose the take-away/spin here is "put really strong locks on your devices, but give us the master key"
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top