Asus failed to properly secure its update servers. It failed to notice that the intruders spent six months sending out malicious firmware updates from those servers. It failed to admit that there was a problem when it was notified by a respected third party. It failed to notify its own customers for nearly two months. It failed to respond quickly when the news broke, and is still failing to admit the scope of the issue.
I haven’t seen a major information-security problem handled this badly since the Equifax hack in 2017. Like Equifax’s response, Asus’ response in this case is simply inexcusable when so many other companies — Microsoft, Apple, Google, to name just a few — provide examples of how to properly deal with security issues.
To recap, yesterday (March 25) Vice Motherboard and Kaspersky Lab revealed that Asus’ firmware-update servers had been broken into in mid-2018 by hackers who appear to have ties to the Chinese government. The hackers spent June through November 2018 sending out malicious firmware updates to Asus computers, using Asus’ own update servers and Asus’ own cryptographically-signed digital signatures for verification.
The malware, when activated, opens up a “backdoor” on the Asus systems that allows the download and installation of more malware without the PC user’s knowledge.
Kaspersky Lab discovered the malware on Jan. 29 by analyzing telemetry from its own antivirus user base. There were about 57,000 infected Asus PCs in Kaspersky’s sample set. Symantec, maker of Norton Security and other antivirus products, detected another 13,000 infected machines in its own user base.
The catch is that the malware is activated only if one of an infected system’s MAC addresses — unique network-port identifiers that differ from one machine to the next — matches a MAC address on a hit list buried in the malware code. Kaspersky researchers identified about 600 MAC addresses on the various hit lists embedded in the malware samples.
Problem? We don’t see any problem
Kaspersky’s team notified Asus of the issue on Jan. 31, but a Kaspersky researcher told Vice Motherboard’s Kim Zetter that Asus initially denied that its servers had been hacked.
It’s not clear how long this state of denial lasted. Both Kaspersky and Symantec had plenty of proof that the malware came straight from Asus’ update servers.
But even then, Asus had the completely wrong response. When a major computer-security company — whether or not you trust Kaspersky Lab, its researchers are highly respected — comes to you and tells you there’s something wrong, you listen.
How to do it right
Let’s compare this to the way LastPass, the popular password manager, handles things. As the most widely known password manager, LastPass is a pretty big target for both white-hat and black-hat hackers.
Major security flaws were found in LastPass in 2015, 2016 and 2017. But in two of those cases, LastPass quickly fixed the flaws before the researchers who discovered the flaws even disclosed them publicly.
In the third case, the news of the flaw broke before the fix could be implemented, but it came later than same day. And LastPass itself told its users that a fix was on the way.
I’m not shilling for LastPass here. I have issues with the way LastPass has tripled its prices in the past two years, and I can no longer recommend it as the obvious password-manager solution. But there’s no denying that LastPass has handled security issues responsibly and promptly when it was approached by security researchers who had found a problem with its software or systems.
Caught unprepared after eight weeks
Back to Asus, the company continued to do things wrong after it was notified by Kaspersky Lab. It didn’t tell its customers about the issue. It did implement a back-end fix and it did beef up its security, or so the Asus said today, but the company seemed to have no statement ready when the news finally broke yesterday.
It’s true that Motherboard’s reporter broke the story before Kaspersky was ready to disclose it (Kaspersky was saving it for its big security conference in April), but come on — Asus had eight and half weeks to get something ready, yet it was still apparently caught off guard. It took more than 24 hours for the company to release a rather anodyne statement that minimizes the scope and significance of the problem.
Even today, Asus said “only several hundred” machines were affected in a statement to Bloomberg News. That’s narrowly true if you count only those machines whose MAC addresses were on the malware’s hit list. But it doesn’t discount the fact that at least 70,000 Asus PCs, and likely many times more, were infected by malware that came straight from Asus’ own servers.
I don’t know if Asus will learn from this issue. But I hope that other companies will look at it and say to their staffers, “Let’s not be like those guys.”