It is gratifying to see one's passion result in a positive change that could benefit many people. Today the Federal Trade Commission issued a press release saying ASUS Settles FTC Charges That Insecure Home Routers and “Cloud” Services Put Consumers’ Privacy At Risk.
In the settlement, ASUS agreed to some terms, including one that I have suggested many times: a way for consumers to receive automated notifications by email or text message when new updates are available that improve the security of the devices.
In February 2014, Dan Goodin of Ars Technica published an article about a “white hat” hacking incident. Certain ASUS routers had a vulnerability in the AiCloud service (ASUS’ proprietary web service, which enables FTP and Samba / file sharing, among other things) whereby an unauthenticated user from the Internet could gain access to hard drives connected to the USB port on the router, either to read data off the drive, or write new data to the drive. This vulnerability was in fact reported eight months earlier, but not fixed by the vendor until February 2014.
The article describes an unsuspecting user finding an unexpected text file on his hard drive, a text file describing the flaw and calling ASUS out for not fixing it eight months after responsible disclosure. Since I had an affected model, I logged in to the web UI to update the firmware, and found that the update mechanism erroneously reported I was already current.
I spent quite a bit of time that week getting to know the internal workings of the ASUS firmware internals, and discovered the reason the update function did not work properly: the update relies on ASUS updating a list of available firmware on its servers. The new firmware was published, but the "lookup table" that tells the updater which version to use had not been updated.
Thus began my interest in researching Internet of Things devices, and specifically, ASUS wireless routers.
In the two years since, I've published a number of additional issues with these routers:
- The administrator password was revealed, in plaintext, in a hidden field in the web UI.
- The firmware update process could be easily manipulated to supply a malicious update.
- A bug allowed anyone on the local network to take full control over the router (discovered by Joshua Drake; I provided a simple way to block the vulnerability until ASUS fixed it).
- The administrator UI relies on the browser to logout; This means if you close the browser window without logging out, or if you run your browser in a high-security mode that disables scripting, your administrative session remains active forever (or at least until the next power outage reboots the router).
Of the FTC settlement, Goodin writes that this is a wake-up call for the IoT as the FTC "takes aim at insecurity that's rampant." Entire industries are sprouting around the so-called Internet of Things. There are Internet-connected refrigerators, laundry appliances, and toasters. Smartphones, smartwatches, and fitness trackers. Samsung is even working on a device to plug into the diagnostic port in older cars, making them Internet-connected.
Many consumers simply want their Internet-connected widget to work straight out of the box. Many things do in fact work straight out of the box - but far fewer work securely right out of the box. While many of these devices can be made relatively secure, often it requires quite a bit of technical knowledge. Perhaps this wake-up call is a step toward IoT devices being reasonably secure by default.
This article is published as part of the IDG Contributor Network. Want to Join?