FTC slaps Asus with 20 years of security monitoring

February 24, 2016 // 3:20 p.m.

Tags: #aicloud #asus #federal-trade-commission #ftc #insecurity #jonathan-tsang #networking #router #security

Asus has reached an agreement with the US Federal Trade Commission, agreeing to a two-decade probationary period for selling networking and cloud storage devices with gaping security holes.

The FTC began investigating a complaint against ASUSTeK Computer Incorporated, the official name of of the Taiwanese computing giant better known as Asus, following the discovery of major security vulnerabilities in its routers and cloud computing services in 2013. Having marketed its devices as containing high-class security, the company found itself on the hook for letting ne'er-do-wells escape with customers' personal data - hence the FTC investigation. In one incident alone, an automated tool was able to gain access to 12,900 USB-connected storage devices linked to vulnerable Asus routers - and this is long after the AiCloud vulnerabilities had been reported to the company.

Following the investigation and its damning findings, Asus has reached an agreement (PDF warning) with the FTC - but one which, interestingly, does not require the company to admit nor deny any of the allegations laid out in the original complaint, except to establish jurisdiction. That doesn't mean Asus is getting off lightly, however: the agreement requires that Asus stops overstating its commitment to customer security and the security features provided by its products, that it must set up a 'comprehensive security programme that is reasonably designed to address security risks related to the development and management of new and existing Covered Devices and protect the privacy, security, confidentiality, and integrity of Covered Information.'

Asus' commitment to this will be tested, too: the FTC is requiring that the company has biennial assessments from a 'qualified, objective, independent third-party professional' for twenty years - without which it won't be permitted to sell its networking products into the US. The agreement also requires the the company is more proactive in alerting customers when a vulnerability has been found, providing information about software updates or mitigations that can be applied in a timely manner.

The filed documentation indicates that the agreement had been forged under Asus president Jonathan Tsang's auspice, but thus far the company has not commented publicly on the matter.
Discuss this in the forums

QUICK COMMENT

SUBSCRIBE TO OUR NEWSLETTER

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU