For instance, according to the complaint, hackers could exploit pervasive security bugs in the routers web-based control panel to change any of the routers security settings without the consumers knowledge. A malware researcher discovered an exploit campaign in April 2015 that abused these vulnerabilities to reconfigure vulnerable routers and commandeer consumers web traffic. The complaint also highlights a number of other design flaws that exacerbated these vulnerabilities, including the fact that the company set and allowed consumers to retain the same default login credentials on every router: username admin and password admin.
According to the complaint, ASUSs routers also featured services called AiCloud and AiDisk that allowed consumers to plug a USB hard drive into the router to create their own cloud storage accessible from any of their devices. While ASUS advertised these services as a private personal cloud for selective file sharing and a way to safely secure and access your treasured data through your router, the FTCs complaint alleges that the services had serious security flaws.
For example, the complaint alleges that hackers could exploit a vulnerability in the AiCloud service to bypass its login screen and gain complete access to a consumers connected storage device without any credentials, simply by accessing a specific URL from a Web browser. Similarly, the complaint alleges that the AiDisk service did not encrypt the consumers files in transit, and its default privacy settings provided without explanation public access to the consumers storage device to anyone on the Internet.