These are my favs discovered
1. Default Username & Password: ADMIN
In 2014, a serious security issue had been brought to the public regarding the default password of Asus products. It was discovered that Asus had been shipping their routers with both Username and Password fields with "default" as preset.
Even a script kiddie with this predictable credential could gain the unauthorized access to any router and hack into victim’s network. In 2014, many Asus routers were compromised in such a manner.
Additionally, Asus did not bother to notify its customers to change the default usernames and passwords in order to maintain the security and privacy of their network.
2. Easily Hackable Router Admin Panel
During the investigation, the FTC uncovered that nearly all the security measures taken by Asus had been dodged.
One of the prevalent security vulnerability uncovered that allowed hackers to gain the admin panel and disable the security settings via the web interface.
3. Asus AiCloud & AiDisk Vulnerable to Remote Hacking
"Security Negligence" episodes of Asus are not yet over.
The cloud service offered by Asus named AiCloud and AiDisk also suffered from the critical vulnerabilities that allowed an attacker to access your Hard Disk remotely from any part of the world, resulting in complete system compromise.
AiCloud offers the customer to browse through the files (in a cloud) that facilitate users to use it as a mini-cloud after plugging the USB Hard drive into the router.
Man-in-the-Middle (MITM) attacks were easy to get executed in between because the login details were unencrypted during the transmission.
The issue had been reported back in January 2014, but ASUS did not advise its users to upgrade their firmware after patching up the vulnerability, which shows the clear case of negligence.
4. 'Check for Upgrades' is an Illusion
Regular updates are usually a vulnerability killer in all aspects. But it is different in the case of Asus.
According to the collective reports, FTC found that the button named "Check for Upgrades" is just a dummy without any special functions embedded.
It is believed that the administrators did not import the latest patches into the Upgrade database; making it available for its users via push; whenever a user scans for any notifications.