Asus Settles FTC Allegations That Flawed Routers Exposed Consumer Information

due to insecure cloud services, the commission said in a news release Tuesday. The commission, which voted 4-0 to approve an administrative complaint and proposed consent order, said that Asus must establish and maintain a comprehensive security program over the next 20 years and be subject to independent audits during that time. The company will have to notify consumers about software updates and give them an option to register for direct security notices through email, text message or a push notification, FTC said. The commission will publish the agreement soon in the Federal Register, and the pact will be open for public comment through March 24. The FTC alleged Asus "didn't take reasonable steps to secure the software on its routers," even though the company claimed the devices contained many security features to protect computers from hacking and malware. For instance, the commission said a malware researcher in April discovered a large-scale exploit campaign by hackers who specifically targeted numerous Asus router models, enabling them to hijack consumers' Web traffic. The commission also alleged that Asus advertised secure services on its routers called AiCloud and AiDisk that allowed consumers to plug a USB hard drive into the router to create their own cloud storage, but those services had "serious security flaws." The FTC said hackers could exploit the AiCloud service to get access to people's connected storage device and that AiDisk didn't encrypt consumers' files in transit. In February 2014, hackers exploited these flaws to get access to more than 12,900 consumers' connected storage devices, the commission said. Asus didn't immediately comment.