Slashdot Mirror
Dear Asus Router User: All Your Cloud Are Belong To Us
New submitter Trax3001BBS writes "Ars is running an article about a vulnerability of Asus routers that are becoming very popular at the moment for connecting USB devices to the Internet. From the article: 'An Ars reader by the name of Jerry got a nasty surprise as he was browsing the contents of his external hard drive over the weekend — a mysterious text file warning him that he had been hacked thanks to a critical vulnerability in the Asus router he used ... The guerilla-style hacking disclosure comes eight months after a security researcher publicly disclosed the underlying vulnerability that exposed the hard drives of ... Asus router users. ... According to Lovett, the weakness affects a variety of Asus router models, including the RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, and RT-N16R. Asus reportedly patched the vulnerabilities late last week...' And this old news, come new again: The Asuswrt Merlin ROM took care of this vulnerability months ago (defect #17)."
Just install DD WRT and have done with it.
Is a text file. The average computer user will not go and dig through log files, nor they will go around on the internet reading everything about each vulnerability that is exposed everyday. Years ago I copy pasted a similar text file to computers on a neighbourhood network, letting them know those specific folders were exposed on the local network and also been given r/w permissions. I was (and somehow still am) a humble user, passionate about tech, but I can always appreciate the heads-up. Just did what I think I'd like done if I were to accidentally share something on the local network, since although it might not be sensitive at first, mistakes are made regularly.
For network accessible storage that doesn't require someone to leave a computer up 24/7 to run? The Internet accessibility is so you can get stuff from home when you're away from home.
It's all part of giving Joe Sixpack the abilities of a techie with a FreeNAS server, without making him learn anything about computers or networking -- or security for that matter.
Shit, man - I can do that with a Raspberry Pi, a copy of FreeBSD, a multi-GB MicroSD stick, and I'd get an infinitely more secure solution to boot. :/
Quo usque tandem abutere, Nimbus, patientia nostra?
Shit, man - I can do that with a Raspberry Pi, a copy of FreeBSD, a multi-GB MicroSD stick, and I'd get an infinitely more secure solution to boot. :/
No one is doubting that. I'd venture it a safe wager that nine Slashdotters out of ten can set up some form of network storage using a RasPi or a spare desktop. The reason why router-based access is handy is that most routers take roughly the same electricity as a CFL light bulb, and by definition are network accessible, either via SMB, FTP, or DLNA. You're not putting a Samba share accessible on the WAN port. It's the same principle as the Western Digital Personal Cloud drives, only without using an ethernet port. The routers also allow printer sharing for standard USB printers. As an added bonus, these routers run Transmission along with QoS - no need to leave your desktop on to run your BitTorrent downloads, and the QoS is done at the router level, so instead of the computers competing for the bandwith, the router can give the torrent downloads lowest priority, and /know/ when to flush stale TCP connections. Again, all of this is done at the router level, using whatever USB storage medium happens to be handy.
If you don't see the utility in such a solution and would opt for the RasPi instead, then to each his own, I guess. I personally find the hard disk + router combination to be a lot more compelling.
I don't have to worry about this, AT ALL, because the router only worked for 2.5 hours after installation before it died. so there!
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
WTF does a ROUTER need a hard drive? That just sounds like a disaster waiting to happen.
These routers don't have a hard drive included. They have a USB port, to which the user can connect an external hard drive, which will then be made accessible on the router's LAN. This lets inexperienced users have network-attached storage without having to go through the process of sharing a network drive (and without having to leave a particular computer powered on all the time). Unfortunately, it looks like they weren't as careful about security in this instance as they should have been.
You realize that open FTP servers used to be the norm? You realize that the RFC itself requires PORT to be open so that you can do a bounce attack?
Please don't be an idiot. This stupidity has nothing to do with windows, and is clearly the fault of Asus and not anything OS related.
So you can turn your "big" computer off and let your router download a larger file 'overnight' to usb storage if you have a low end adsl connection.
i.e. you put a url to a file into the “Download Master” gui and the file will download onto the usb "hdd" device.
Domestic spying is now "Benign Information Gathering"
...oh the irony.
I have a couple of the Asus routers, and I love them. One runs as an openvpn server, the other runs a few services to simplify remote administration of an offsite location. Good little boxes.
But, it has really opened my eyes as to how bad security can be. These systems are at least slightly more secure than the WD drives. Third party firmware adds some levels of complexity, but a whole lot of functionality.
Yes. Linux prevents it. Right. And what software do these routers run as their firmware? That's right, a customized version of Linux.
The best part about this, IMHO, is that my router reports that there is no new firmware. I was able to download it from ASUS and it installed successfully. But had I not seen this article, I would have kept on assuming that mine was the latest and greatest because that is what the router told me.
Wuss.
I can do it with a stick of gum, a hair dryer, a usb jack, an RJ45 jack, some aluminum foil, and several hamsters with a hamster wheel.
And food for the hamsters for as long as you want the device to work.
Sleep your way to a whiter smile...date a dentist!
So I try a random IP, paste it in my URL bar (specifying an old, insecure file transfer protocol) and bam next second I'm looking at a guy's medical files (an excel sheet with daily blood sugar levels, what he ate that day, and sometimes comments) and his tax returns. Looked at a few pics too.
Another IP doesn't work immediately, another has the server up but no shares, another has some music and I'm downloading some to try it out, hell I even curlftps'ed in for the sake of it and it works albeit slow. Aww fuck I can even write. Dropping a few music files into an unknown spanish speaking person's short music collection.
For once.. Don't read TFA! makes feel dirty.
I wonder what's so "white hat" about some of the information that is included.
From Merlin himself:
http://forums.smallnetbuilder....
He says disable aicloud and the ftpd for now.
Genuine thanks. I have one of these models in my office, where there's just a couple of us. Never even thought about it, as we don't use it for anything other than establishing PPPoE on ADSL. Turns out we had those features all turned on, too. No disks attached - but still.
These routers don't have a hard drive included. They have a USB port, to which the user can connect an external hard drive, which will then be made accessible on the router's LAN.
There's a Netgear that goes one step further.
I thought Asus router firmware was open source.
has ... judgment of when and what to update.
That's more the problem. As I understand it, the last DD-WRT vulnerability was fixed within hours (not that that'll do much good if people aren't keeping it up to date)
systemd is Roko's Basilisk.
Shit, man - I can do that with a Raspberry Pi, a copy of FreeBSD, a multi-GB MicroSD stick, and I'd get an infinitely more secure solution to boot. :/
So the idea of the Asus product is that you don't have to do the hours of manual crafting that your solution requires.
Dear IT People,
Despite what you might think in the modern day, exposing things to the Internet unnecessarily is still just asking for problems. Especially things with firmware rather than regularly- and automatically-updated software.
Yes, we all run websites. Yes, we have RDS and VPN and all kinds of clever technology. And, yes, I'm sure you "keep it up to date" and have 28-digit passwords.
But that doesn't change the fact that the connection that comes into your business/home is "hostile". It receives rogue packets and attacks 24 hours a day whether you know it or not. In fact, it's kind of a credit to most firewalls how LITTLE you actually notice coming down the line because it's just handling all the obvious attacks and scans all the time.
But every port you open, everything you expose past your firewall (and even your firewall can be a problem if it's not good enough to handle unusual packets like a lot of ADSL routers that crash if they get too many connections or large packets, etc.) is a risk. Honestly. It's a risk.
If you buy some cheap piece of commodity hardware and port-forward direct to it on the standard ports, you are relying on the security of that device to keep intruders out - not your firewall.
If it's some cheap router, or some crappy CCTV PVR or a games console or even just a test experiment or network switch or something else in your home, then you are relying on THAT to be a secure gateway from attacks from the Internet. And guess what, the weakest link in the chain will be the first exploited.
Please, before you go exposing this crap to the general Internet, limit its damage potential. Don't put it on your local network, but a VLAN of some kind. Don't forward every port. Don't have things like UPnP enabled (which is just automated, authentication-less port-forwarding). Put some authentication on it. Don't rely on some web interface knocked up by a foreign CCTV manufacturer, intended as a GUI for the local network to be as trusted as your firewall.
Similarly, don't let these cheap, shit ADSL routers to be exposed to the general Internet while having all your personal files on them (and presumably running Samba, Bonjour, FTP, all kinds of shit to the local network to let you access them). Just... don't.
You want to do this kind of thing? Use the VPN functions and make sure you keep on top of their updates and security. They will allow you to join the local network remotely, and that local network can be as insecure as you like with this cheap shit dangling off it unauthenticated if you like, as your VPN access can be secured, logged, audited and checked quite easily.
Don't allow some piece of firmware junk, probably written in some C/Perl CGI/PHP that hasn't been updated since the day it started working enough to be saleable, to be your public face and guardian on the Internet.
The principle applies all the way up too. Don't put AD controllers on the visible Internet. Don't let your public RDS server be the same as your DC or even on the same VLAN. Don't run IIS exposed to the world for some crappy HP utility, or external page.
Do what those weird old tech guys used to do for decades and limit your exposure at all times. Sandboxing, VLAN'ing, permissioning, auditing. And, in the extreme, run a server OUTSIDE your home for this kind of shit. Seriously, VPS and cloud server with large storage allocations are cheap as chips nowadays. And they are kept up to date for you. And if someone compromises them, you have someone to blame AND you can be sure they haven't popped onto your home network and downloaded everything off your private laptop too.
If some random consumer buys this crap and gets attacked, that's their problem. This is a site for damn geeks, though. We should know this kind of stuff. We should be advising against this kind of stuff. I should be able to nmap any one of you, at home or at work, and come up with nothing but a handful of secured ports running the latest software (if any
It also costs about $100 extra and requires a whole bunch of extra configuration and knowhow.
Theres basically no reason not to use your router as your NAS as long as it doesnt have any vulnerabilities and it meets your performance need. Simplicity is a good thing, you know?
Pretty sure the attack is on an Asus router which if i had to guess is running some unix variant...
not sure if you're trolling or what, but you really never know on slashdot.
Buy a cheap NAS. The Internet facing device should not be an all-in-one device for security reasons.
ASUS RT-N66U Firmware version 3.0.0.4.374.4422
Security related issues:
1. Fixed lighthttpd vulnerability.
2. Fixed cross-site scripting vulnerability (CWE-79).
3. Fixed the authentication bypass (CWW-592).
4. Added notification to help avoid security risks.
5. Fixed network place(samba) and FTP vulnerability.
Improvement:
1. Redesigned the parental control time setting UI.
2. Updated multi language strings.
3. Adjusted FW checking algorithm.
4. Adjusted Time zone detecting algorithm.
5. Improved web UI performance.
Do it with a pogoplug. You can run debian (or allegedly BSD) from an SD card, it gets updated more than the various router firmwares, and you can get one with USB3 for $20 brand new.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Haven't checked into other routers, but the RT-N16 has a "warranty cap". There is a capacitor on the far right of the unit, roughly centered. It's clearly designed to fail after a period of time. The rest of the capacitors are a different brand that isn't generally known to fail, the warranty cap is known to be a defective make.
Normally it takes a bit longer than the actual warranty length to fail.
Give me a break. A vulnerability was disclosed, and then some time after that it was leveraged by attackers in the wild. This is what happens.
I'm using Bell Fibe in Canada, and they supply a Modem / Router solution. I believe that Rogers (other major ISP) provides similar technology. So for many people they would not have their own router / firewall as first line of defense, they'd have ISP-supplied equipment.
Is it common in Canada or the US for people to just get a WAN Modem / Driver from their ISP and then put their own router into place? Or worse, plug their laptop right into the Driver and hope that MS firewall will keep the wolves at bay?
For wireless, the Bell / Rogers solutions both suck ass, so I disabled wireless and bought a small office WAP to punch a signal through the house where needed (the rest of my stuff is hard-wired to the switch). I don't think that would be an entry point if the security is turned up enough, right?
I have a couple of D-Link DIR825-C1 units on my network, both with DD-WRT, one in client bridge mode and the other as my router. Both have been rock solid, and a worthy upgrade from my classic WRT54G boxes.
Oh, no! You have walked into the slavering fangs of a lurking grue!
Is it easy to recognize? It was still worth it to me to buy a second RT-N16, but I still have the failed one. Would love to resurrect it.
ClamXav on OS X reported a virus infection in one of the files in the archive: ASUSGATE/FTP-dirlist/75.183.112.181.dirlist: JAVA.Exploit.CVE_2012_1723 FOUND
I don't know exactly what to make of that, but be careful.
It'd probably take you less time to rip it open and find out than to wait for the reply, or even to find pictures in the fcc database
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I already had it open. I never figured it out. No obvious problems in there (no bulged caps), but it behaved just like a capacitor problem.
The description said that it was a different-brand cap on one side of the board all alone. You could probably have found it and desoldered it by now, if it's there. Could always be another rev of the same board, in which case any answer would be useless. If you can find your ass with both hands and a map and pour piss out of a boot with instructions printed on the heel, you're qualified to figure this one out on your OR.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I didn't have it open today - I had it open 6 months ago.
I misread on the brand part.
Why is this bother you so much?
This firmware has been available for several days but if you go into your router and have it check for an update (and you are running the one from months ago like I was) it still says you are using the current version.
I'll NEVER buy another ASUS router again. Their routers get such good reviews. I think it's time to just start running pfsense in a VM on my linux box and just be done with it. Just use the wifi on these shitty routers for wireless lan access.
The way I did. Now, if you're not an experienced sysadmin, and want to use your Asus router for *anything* else, give up. I've got DD-WRT on mine, and it took months, for the simple reason that I wanted to use the router, as it advertised on the box, to serve a USB printer.
Calling Asus about the stock firmware, when I told them my printer, they told me, "oh, it servers printers, but not that printer, you should have checked what we support...." The box does *NOT* say "only supports some printers...."
So I went for DD-WRT. That's a disaster. The web site - after a month or so of screwing around on and off, I found someone who knew something, saying, IGNORE THE ROUTER DATABASE. You know, the first thing it tells you to use when you go to the DD-WRT home page? And the guy went on to say, that the d/b was out of date at best, and *wrong* at worst.
Then I got into the "help" forum. I've been in the field since before some of you were born... and I have *never* seen a project where folks talked about their "favorite build". !!! And one where one thing gets fixed in a build by one person, but something else breaks (regression tests? What are those?) And they have no formal releases, just some lead developers' builds.
I can't see how I can ever update the firmware, since I don't want to break what works...
So if you just want it as a router, or maybe even w/ QoS, DD-WRT ok. Otherwise, be prepared for a lot of grief (and you'll get real familiar with restoring the original firmware to start all over again).
mark
Hi all, it's an honor to be linked by /. as part of this story. I wanted to post to draw further attention to what has already been discussed here: it hasn't yet been confirmed that the fix from months ago addresses all vulnerabilities mentioned. As Eric, the author of the firmware stated, please ensure the AI Cloud and FTP services are disabled for now if using this firmware. I would further add (also already discussed here) that a better-safe-than-sorry approach is to stick to alternative software for "AI Cloud"/FTP solutions. For example, if I needed FTP, I'd rather use a much tested/hardened/known good dedicated FTP solution rather than one baked into any router.
Thanks!
It's next to impossible to know what DD-WRT version/build/release to install on anything.
It's certainly not easy. It's clearly a mess. I wouldn't say it's "next to impossible". I spent about an hour figuring out what I needed to do, after installing a version suggested by the selection tool (that did not work very well).
Very easy, yes.. there's one that stands off on its own. I had 5 of them in service, they all died within the same month.