Thursday, March 10, 2016

A positive step for insecure home routers?


It is gratifying to see one's passion result in a positive change that could benefit many people. On February 23 the Federal Trade Commission issued a press release saying ASUS Settles FTC Charges That Insecure Home Routers and “Cloud” Services Put Consumers’ Privacy At Risk

In the settlement, ASUS agreed to some terms, including one that I have suggested many times: a way for consumers to receive automated notifications by email or text message when new updates are available that improve the security of the devices.


Some Background


In February 2014, Dan Goodin of Ars Technica published an article about a “white hat” hacking incident. Certain ASUS routers had a vulnerability in the AiCloud service (ASUS’ proprietary web service, which enables FTP and Samba / file sharing, among other things) whereby an unauthenticated user from the Internet could gain access to hard drives connected to the USB port on the router, either to read data off the drive, or write new data to the drive. This vulnerability was in fact reported 8 months earlier, but not fixed by the vendor until February 2014.

The article describes an unsuspecting user finding an unexpected text file on his hard drive, a text file describing the flaw and calling ASUS out for not fixing it 8 months after responsible disclosure. Since I had an affected model, I logged in to the web UI to update the firmware, and found that the update mechanism erroneously reported I was already current.

I spent quite a bit of time that week getting to know the internal workings of the ASUS firmware internals, and discovered the reason the update function did not work properly: the update relies on ASUS updating a list of available firmware on its servers. The new firmware was published, but the "lookup table" that tells the updater which version to use had not been updated.

Thus began my interest in researching Internet of Things devices, and specifically, ASUS wireless routers.

In the two years since, I've published a number of additional issues with these routers:



What's Changed?


So what is different now? The FTC complaint document points out that ASUS markets its routers as including numerous security features to protect consumers, and yet the devices themselves have had some serious flaws that put consumers at risk. In settling the complaint, ASUS agreed to the following requirements

  • ASUS must not misrepresent the secure state of their devices, and in particular, must not misrepresent that the device software is up-to-date when it is not.
  • ASUS must notify consumers "clearly and conspicuously" - including through a pushed notification such as email or text message - when new software updates are released that address a security flaw.
  • ASUS must submit to third-party evaluations of their business practices for the next 20 years.

Of the FTC settlement, Dan Goodin writes that this is a wake-up call for the IoT as the FTC "takes aim at insecurity that's rampant." Entire industries are sprouting around the so-called Internet of Things. There are Internet-connected refrigerators, laundry appliances, and toasters. Smartphones, smartwatches, and fitness trackers. Samsung is even working on a device to plug into the diagnostic port in older cars, making them Internet-connected.

Many consumers simply want their Internet-connected widget to work straight out of the box. Many things do in fact work straight out of the box - but far fewer work securely right out of the box. While many of these devices can be made relatively secure, often it requires quite a bit of technical knowledge. Perhaps this wake-up call is a step toward IoT devices being reasonably secure by default.


This article first appeared in CSOonline