FTC Dings ASUS For Selling 'Secure' Routers.
- Thread starter andyg
- Start date
Nullity
Very Senior Member
Why is the FTC posting sensationalist crap for the casual user?
One of their pointers is "Don’t just click “next” during the set-up process."... Thanks for the tip.
Is this some political smear campaign? Every company has released vulnerable software...
Seriously, the actual complaint pdf cites zero commonly accepted security/exploit databases in any of the individual issues.
Is there something I am missing?
My guess is, somebody filed a formal complain (maybe a competitor? Wouldn't be the first time...), which forced the FTC to investigate. But a 20 years-long mandatory audit? Seriously?! This looks almost like an April's Fool. Anyone can quote any precedent that would match such results?
It's even more silly considering that other manufacturers out there have been caught DELIBERATELY introducing backdoors in their products, and they never got slapped, punished, or audited for it. Those backdoored products should have gotten far more attention than Asus's inability to properly secure their products, as they were the conscious work of their developers, not just failure to properly code/design a secure product.
Ken Firch
Occasional Visitor
Looks like ASUS is going to have to endure frequent audits of its router security.
https://www.techdirt.com/articles/2...h-default-admin-admin-login-other-flaws.shtml
Hopefully this extra effort required by ASUS to appease the Feds won't impact its creativity or ability to deliver great products. Seems to me they are being punished because they didn't force users to take obvious steps to protect their own network. But their slow response didn't help either.
https://www.techdirt.com/articles/2...h-default-admin-admin-login-other-flaws.shtml
Hopefully this extra effort required by ASUS to appease the Feds won't impact its creativity or ability to deliver great products. Seems to me they are being punished because they didn't force users to take obvious steps to protect their own network. But their slow response didn't help either.
L&LD
Part of the Furniture
http://www.snbforums.com/threads/fork-update-for-374-43-available-v16e1.18914/page-160#post-240605
This doesn't deserve it's own thread. (Opinion).
Nullity
Very Senior Member
Newsflash: No software is perfect.
The more interesting thing is why the FTC is even doing this... I casually follow security and Asus does not deserve this.
Regarding the "slow response"; if the FTC's pdf and related posts are an accurate representation of their technical understanding, I would disregard the requests as well. Hopefully some useful stuff will be presented by the FTC, otherwise this primarily embarasses the FTC for their short-sighted investigating, in my opinion.
The more interesting thing is why the FTC is even doing this... I casually follow security and Asus does not deserve this.
Regarding the "slow response"; if the FTC's pdf and related posts are an accurate representation of their technical understanding, I would disregard the requests as well. Hopefully some useful stuff will be presented by the FTC, otherwise this primarily embarasses the FTC for their short-sighted investigating, in my opinion.
Advis
Occasional Visitor
Respectfully I have to disagree. They have been slapped because their advertising claims that the various features are secure despite some flaws that ASUS haven't adequately handled.
There are a number of serious flaws identified by the FTC outside the common default password behaviour including not encrypting AiDisk files in transit and a credential bypass flaw in AiCloud. To compound these the update check was found to be not working properly and there is no mailing list that a user can sign up to in order to be reasonably informed of such flaws. This then lead to a situation where 'In February 2014, hackers used readily available tools to locate vulnerable ASUS routers and exploited these security flaws to gain unauthorized access to over 12,900 consumers’ connected storage devices'.
According the article I read on The Register ASUS were found to be NOT conducting any kind of penetration testing for their products which I suppose will be in the original complaint.
I do believe this ruling is fair. I am not saying that ASUS are more deserving of attention that any other router manufacturer and I accept that others will probably be found to have similar issues.
There are a number of serious flaws identified by the FTC outside the common default password behaviour including not encrypting AiDisk files in transit and a credential bypass flaw in AiCloud. To compound these the update check was found to be not working properly and there is no mailing list that a user can sign up to in order to be reasonably informed of such flaws. This then lead to a situation where 'In February 2014, hackers used readily available tools to locate vulnerable ASUS routers and exploited these security flaws to gain unauthorized access to over 12,900 consumers’ connected storage devices'.
According the article I read on The Register ASUS were found to be NOT conducting any kind of penetration testing for their products which I suppose will be in the original complaint.
I do believe this ruling is fair. I am not saying that ASUS are more deserving of attention that any other router manufacturer and I accept that others will probably be found to have similar issues.
Nullity
Very Senior Member
The AiCloud thing is probably worthy of complaint, but from a security stand-point, using any made-by-manufacturer/brand, proprietary cloud service, rather than established protocols/services is ill-advised. Even "good" cloud services have privacy issues. That is no excuse for sub-par security, but buyer beware...
I just do not see the justification. I would focus on the most impactful vector, like perhaps using the funds spent on this to donate to an OpenSSL security audit, or criticize any of the recent, huge privacy leaks from large corporations that literally impacts millions of people/Americans.
This is not cross posting. It's a valid post. Please leave moderation to me.
Ken, please feel free to make similar posts in the future.
L&LD
Part of the Furniture
No problem, I wasn't moderating. As my post suggested; 'opinion'.
Thanks for the clarification.
FTC works like FDA, WHO or any other organization which "works" for the consumer public.
Have you ever heard FDA making bold suggestions about cheap/free natural products for any health concern? Do you really think only patent-able chemically changed products can help people? This is not rocket science, any preschooler can think about it, but seems like nobody really cares.
Unfortunately those organizations are not for public interest, just for themselves, governments ("economies"), and therefore for the highest bidder.
ASUS seems to be not handling their interest as they want to.
Have you ever heard FDA making bold suggestions about cheap/free natural products for any health concern? Do you really think only patent-able chemically changed products can help people? This is not rocket science, any preschooler can think about it, but seems like nobody really cares.
Unfortunately those organizations are not for public interest, just for themselves, governments ("economies"), and therefore for the highest bidder.
ASUS seems to be not handling their interest as they want to.
I hope they do, because some others did far worse IMHO, such as shipping code that contained known backdoors.
Here's a collection of references to other companies who should, IMHO, be equally (if not more severely when it involves actual backdoor code) be punished.
http://arstechnica.com/security/201...inksys-routers-with-self-replicating-malware/
http://www.cio.com/article/2376824/...said-to-leave-backdoor-problem-in-router.html
https://wiki.openwrt.org/toh/netgear/telnet.console
http://www.infoworld.com/article/26...oor-found-in-d-link-router-firmware-code.html
This is of course in addition to the numerous CVE reports that are related to virtually every single home router manufacturers out there.
Let's not bring politics into this, because this could be a whole debate on its own.
sfx2000
Part of the Furniture
They were taken to the woodshed, no doubt - being it was ITC, could very well have been a competitor...
I don't think this will be the last of it - many vendors in this space have security issues, and let's not forget the non-router network devices (SmartHome, ConnectedCar, QuantifiedSelf, etc...).
There are a lot of security issues out there - most of them are not intentional, but they're there... it's more how the vendors respond, and there, Asus has done a decent job, at least with current products, and better than many with getting fixes out in a timely manner...
20 year security audits - that's a bit extreme, IMHO...
I don't think this will be the last of it - many vendors in this space have security issues, and let's not forget the non-router network devices (SmartHome, ConnectedCar, QuantifiedSelf, etc...).
There are a lot of security issues out there - most of them are not intentional, but they're there... it's more how the vendors respond, and there, Asus has done a decent job, at least with current products, and better than many with getting fixes out in a timely manner...
20 year security audits - that's a bit extreme, IMHO...
Nullity
Very Senior Member
I am pretty sure you are referring to the audit as extreme from a "this is a punishment" perspective (which I agree with), but shouldn't all (popular) software be audited regularly?
Disregarding the stupid metrics the FTC is using to define a security vuln, I think government funded audits are probably a good thing. The determination of which projects to audit might need some tweaking.
Auditing closed-source/proprietary code might be a problem because the public cannot participate in any way... Anyone got some links regarding the details of how the FTC audit is done?
sfx2000
Part of the Furniture
Security Audits - most companies do run these internally in most cases - having to report the results to the ITC as a result of the order, that's the extreme part..
Mixed messages from the US Govt these days - between this action (tighten up your security) and the recent other issue where a company locked down devices a bit too tight (in their opinion) - I suppose the take-away/spin here is "put really strong locks on your devices, but give us the master key"
Mixed messages from the US Govt these days - between this action (tighten up your security) and the recent other issue where a company locked down devices a bit too tight (in their opinion) - I suppose the take-away/spin here is "put really strong locks on your devices, but give us the master key"
Similar threads
Similar threads
Similar threads
Latest threads
-
Unable to access - 192.168.100.1 address - AX86U Pro
- Started by dineshgyl
- Replies: 8
-
Guest Network Pro One way to client
- Started by Amwjujo
- Replies: 2
-
OpenVPN Client Connection through existing OpenVPN Router Connection causes disconnect- Started by Viktor Jaep
- Replies: 0
-
-
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!