FTC Forces Asus to Comply with 20 Years of Security Audits

Share this…

Asus lied about its routers’ security, it delayed security patches for months, and now it’s paying the price. A few months back, the US Federal Trade Commission (FTC) filed a complaint against Taiwan-based hardware maker Asus, accusing it of misrepresenting its products’ security features and failing to address security vulnerabilities.

The two parties have agreed to a settlement, one that forces Asus to subject its procedures and products to independent security audits for the next 20 years.

According to the FTC’s complaint, Asus failed numerous times to address severe security issues and made false claims about its products to its customers.

Asus had flaws in its AiDisk and AiCloud router features

The FTC pointed to numerous vulnerabilities the company failed to fix in a timely manner, going back to March 2013. These vulnerabilities were found in various Asus SOHO (Small home/Home office) router models, but also in the company’s AiDisk and AiCloud services.


These latter two refer to a feature of some Asus routers that allows users to insert a USB hard drive in their device, which they can then use as a LAN-based cloud server to store their files.

FTC officials say that Asus failed to address serious login bypass bugs that allowed attackers to steal data from AiCloud and AiDisk-enabled routers.

The FTC specifically points to an incident from February 2014, when hackers found 12,937 Asus routers online, which they hacked and then broke into 3,131 AiCloud accounts, accessing and stealing private files.

Asus firmware upgrade tool didn’t work properly

Additionally, outside Asus’ failure to address these security flaws, the FTC also says that the company failed to update a list of firmware images on its site.

This list was used by a firmware update tool embedded in the routers’ control panel, which would have helped customers secure their routers. Because the list was scarcely updated, many routers were reported as being up to date, when, in fact, they were not.

It seems that Asus had already started learning from the FTC lawsuit even before the two parties reached a settlement. Just two weeks ago, independent security researcher David Longenecker discovered flaws in the admin panel UI of many Asus routers, which the company quickly moved to fix.