FTC settles with computer firm for router security flaws

Citing the “internet of things” the Federal Trade Commission said Wednesday it has reached a settlement with a Taiwan-based computer firm on charges that the company had critical security flaws in its routers that put the home networks of hundreds of thousands of consumers at risk.

The proposed consent order, which does not cite fines, would require ASUSTeK Computer Inc. to establish and maintain a comprehensive security program subject to independent audits over the next 20 years, the FTC said in its statement.

The FTC said although the company marketed its routers as including numerous security features that would protect computers from unauthorized access, hacking and virus attacks, it did not take reasonable steps to secure its routers’ software.

The FTC said that for instance, hackers could exploit “pervasive security bugs” in its web-based control panel to change any of the router’s security settings without the consumer’s knowledge.

In addition to establishing a comprehensive security program, the consent order will require the company to notify consumers about software updates or other steps they can take to protect themselves from security flaws, the FTC said.

The settlement will be subject to public comment through March 24, after which the commission will decide whether to make it final.

“The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection, in a statement. “Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.”

The company’s attorney could not immediately be reached for comment.