Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Government Networking Security Wireless Networking IT

FTC Forces Asus To Improve Router Security (helpnetsecurity.com) 74

An anonymous reader writes: The FTC is actively trying to make sure that companies secure the software and devices that they provide to consumers, and a settlement with Taiwan-based hardware maker ASUSTeK Computer is one step towards that goal. The complaint was raised after well-meaning hackers exploited a weakness on Asus routers and left note on victims' drives notifying them of the matter. Later, a researcher discovered an exploit campaign that abused vulnerabilities to change vulnerable routers' DNS servers. According to the settlement, the company will have to establish and maintain a comprehensive security program subject to independent audits for the next 20 years.
This discussion has been archived. No new comments can be posted.

FTC Forces Asus To Improve Router Security

Comments Filter:
  • That's not a bug, it's a feature!
  • by Voyager529 ( 1363959 ) <voyager529@yahoo. c o m> on Wednesday February 24, 2016 @01:02PM (#51575885)

    I've generally preferred Asus routers to its peers for quite some time. They've been great with providing firmware updates four years after release (d-link, I'm looking at you), doing simultaneous dual-band as advertised (netgear, I'm looking at you), their firmware is responsive and generally very stable (Belkin, I'm looking at you). Their mid-range units support multi-wan and make excellent print servers, and they've been very supportive of the modding community - most of their gear supports merlin, padavan, ddwrt, openwrt, and tomato, and their recovery mode is near-brickproof.
    Yes, it's obnoxious that they had security issues, and yes, I replaced my N56U with a linksys ea6900 (and regretted until tomato was installed), but they're definitely better than most in my experience.
    More to the topic, I wonder if this will yield some case precedent for these requirements industry wide. I can dream...

    • The N56U is still adequate for many uses, but does not receive any security updates anymore. That's where the real problem is.
      • Good call. I just checked their site, and you're right - it's been nearly a year since their last update, which is strange because they still sell them new, and before that, updates were released several times a year. I'm still going with "better than most" because my linksys required a bootloader flash to get third party firmware working, especially notable because the ea6900 has a well documented bootloader issue that the patch fixed.

        I'm genuinely curious if any other router OEMs have a better track recor

    • Re: (Score:2, Informative)

      by thona ( 556334 )
      SERIOUSLY? Amazing. Your low standards, that is. Have a look at Mikrotik - not for someone not knowing what they do, but THEY do updates for TONS of years, are cheap and provide serious enterprise grade features. From a super cheap 40 USD router to a 36 core backbone router.
      • by Anonymous Coward

        SERIOUSLY? Amazing. Your low standards, that is. Have a look at Mikrotik - not for someone not knowing what they do, but THEY do updates for TONS of years, are cheap and provide serious enterprise grade features. From a super cheap 40 USD router to a 36 core backbone router.

        "...researchers at the Fujitsu Security Operations Center in Warrington, UK began tracking Upatre being served from hundreds of compromised home routers – particularly routers powered by MikroTik..."

        Speaking of low standards, were you trying to provide a good alternate solution with your comments here, or were you trying to help identify yet another company that should be awaiting 20 years worth of security audits? Just curious...

      • by Anonymous Coward

        SERIOUSLY? Amazing. Your low standards, that is.

        Have a look at Mikrotik - not for someone not knowing what they do, but THEY do updates for TONS of years, are cheap and provide serious enterprise grade features. From a super cheap 40 USD router to a 36 core backbone router.

        I'm not sure where this idea that "frequent updates means better" came from, but it's a bunch of crap. I'd rather have firmware that only needed an update on rare occasions, than one which is so crappily made that there's a new patch coming out every week. The frequency of updates is not a good metric to measure the firmware stability or security on. Rather, it should be measured on how often problems crop up and how quickly they are patched, and how many of the updates are actually adding features as oppos

  • by dav1dc ( 2662425 ) on Wednesday February 24, 2016 @01:13PM (#51575949)

    Apple, you have TOO MUCH security!

    ASUS, you have TOO LITTLE security!

    Make up you're friggin' mind Uncle Sam... Security is either good for everyone, or bad.

    • Apple's security keeps the government from meddling with your data.

      ASUS' lack of security allows you to replace their shot firmware with one that keeps government from meddling with your data.

      Makes sense now?

    • Apple, you have TOO MUCH security!

      Close. That order is being challenged and is probably not lawful. See the other discussions and legal analysis for details. Think in terms of stick and carrot. Generally the government can offer a carrot, can remove carrots offered elsewhere, can tie one carrot to another, but it takes some severe problems before they bring in a stick. For defects problems, the stick is usually recalls.

      If the government treated too much security as a defect or violating some law, the government could probably find a way t

  • Doesn't have a third party firmware option available. End of Rant..

    Personally, I use a couple of Linksys offerings that have excellent OpenWRT support. I have a fleet of WRT4300's and a 1900ac that actually come with a variant of OpenWRT and are well supported. They all have Layer 2 capable switch hardware (so you can do VLAN stuff) which is nice. The WRT4300's are about $40 used on E-,Bay and the 1900AC retail at about $135 new and $120 used. Running OpenWRT gives you a lot of capability.

  • Leaving routers wide-open to attack AND MARKETING THEM AS SUCH is not.

    If Asus had marketed these as "here's a router, here's how you can hack it, here's how to plug the holes, and please don't do anything stupid like put it on a public network without fixing the holes and changing the passwords first"

    and sold it to hobbyists rather than regular consumers, then there wouldn't (or rather, shouldn't) be any reason to drag the FTC into the matter.

  • The FTC, of all the entities that could possibly muscle in on this matter, wants a company to do something to increase consumer safety?

    Ok, what does the story not tell? Are they going to demand that the routers be locked down to the point where the customer has no way of replacing the crappy firmware with something usable?

  • by Britz ( 170620 ) on Wednesday February 24, 2016 @01:54PM (#51576203)

    All the while the FCC and the EU are working on preventing users from protecting themselves by modifying the routers firmware:

    http://tech.slashdot.org/story... [slashdot.org]

    • by tlhIngan ( 30335 )

      All the while the FCC and the EU are working on preventing users from protecting themselves by modifying the routers firmware:

      Only to prevent transmitting outside of the appropriate bands.

      That's all the FCC cares about, and they want protections put in place to prevent a user from using say, channel 14 in North America.

      Now, until now, most manufacturers simply used location specific firmware to lock down the transmit channels, but the next generation set will probably incorporate protections stored elsewher

      • by davecb ( 6526 )
        Fusable links would be excellent, but the usual hack is to lock down everything in software, which IMHO is suicidally shortsighted.
    • by davecb ( 6526 )

      The good part is this is a proposed rule-making, and the FCC doesn't actually want to mess up Vint Cerf and Dave Taht. IMHO it was a bug in their spec (;-))

      The bad part is that several vendors think that locking down the entire router is a good and cheap idea, and that no-one like the FTC will object.

      The good part is that the FTC does exist, after all, and there is now a growing community of people with locked-down routers that contain a compliance-critical bug, on that takes the router right out of com

  • I just bought an Asus router (RT-N12). Does anyone know if it is exploitable? I'd heard Asus was one of the better ones. I've heard that Tomato runs on this model. Should I switch my firmware to Tomato, or is it sufficient to upgrade to the latest firmware from Asus?
  • Just flash these routers with DD-WRT. I found an old router that I got for free some time ago from SamKnows (an European company doing broadband performance measurement). When the campaign was finished, the thing was just lying in a cupboard. Got it revived with DD-WRT and it works fine now. Great stuff!

    • I use OpenWRT myself on a fleet of Linksys and Netgear offerings... I'm with you though, I only use hardware for which there is third party open source firmware available.

  • fix your stuff but not too much

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...