Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dear Asus Router User: All Your Cloud Are Belong To Us

Posted by Unknown on from the stock-firmware-considered-harmful dept.

New submitter Trax3001BBS writes "Ars is running an article about a vulnerability of Asus routers that are becoming very popular at the moment for connecting USB devices to the Internet. From the article: 'An Ars reader by the name of Jerry got a nasty surprise as he was browsing the contents of his external hard drive over the weekend — a mysterious text file warning him that he had been hacked thanks to a critical vulnerability in the Asus router he used ... The guerilla-style hacking disclosure comes eight months after a security researcher publicly disclosed the underlying vulnerability that exposed the hard drives of ... Asus router users. ... According to Lovett, the weakness affects a variety of Asus router models, including the RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, and RT-N16R. Asus reportedly patched the vulnerabilities late last week...' And this old news, come new again: The Asuswrt Merlin ROM took care of this vulnerability months ago (defect #17)."

24 of 148 comments (clear)

  1. Open Source is better. by Anonymous Coward · · Score: 4, Insightful

    Just install DD WRT and have done with it.

    1. Re:Open Source is better. by cheater512 · · Score: 2

      Yep DD-WRT is on my RT-AC66U. Works brilliantly.

    2. Re:Open Source is better. by AlphaWolf_HK · · Score: 5, Informative

      I've got an RT-AC66U myself and honestly I like tomato (shibby version) a hell of a lot better for it. Multiple reasons, but the biggest include:

      The interface in DD-WRT is clunky; by that I mean they use a worse than MS Windows* style of individual fields for IP address octets so that you have to tab between fields instead of naturally typing it out in the dot notation like you do everywhere else; and if you change one setting that uses a refresh object it *very annoyingly* undoes any unsaved settings you may have made on that page. *(MS Windows is actually slightly better here because if you type in the dots it automatically moves to the next field, whereas DD-WRT does not, requiring you to tab instead, and if you make an error in a previous field you have to shift-tab and arrow to your mistake instead of simply hitting backspace.)

      Tomato has really nifty links for doing things quickly. A beautiful example is like giving a MAC address a sticky dynamic IP address just requires a click, typing the IP address and desired hostname (for local DNS resolution if you desire) and then clicking save. With DD-WRT you have to go through numerous steps just to type in the MAC address.

      DD-WRT's QoS functions, and its network monitoring and analysis functions are downright awful compared to tomato. Just straight up awful.

      DD-WRT deliberately cripples certain features unless you pay for them (such as its QoS features, which even the paid version is worse than what Tomato offers for free.)

      (Kind of hypocritical too because DD-WRT was originally built by a group that was tired of the Sveasoft guy hoarding his changes to the GPLed code to only those who paid him, but I don't count that against them because I'm more of a "I use what works" kind of guy.)

      Then again I'm a hobbyist when it comes to networks, so I might have more stringent demands than anybody else.

      --
      Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
    3. Re:Open Source is better. by wisnoskij · · Score: 2

      I installed Tomato once, went back to DD-WRT less than an hour latter.
      Tomato does some cool stuff, but its complete lack of pretty much every feature that DD-WRT has was a deal breaker.

      --
      Troll is not a replacement for I disagree.
    4. Re:Open Source is better. by omnichad · · Score: 2

      Just FYI - I had a lot of trouble finding instructions. So here you go:
      http://tomatousb.org/forum/t-2...

      I used Lassik's instructions (multiple posts). And yes, I only found the firmware on the 4shared site:
      http://www.4shared.com/dir/v1B...

  2. Best way to let someone know something's amiss by cosmin_c · · Score: 2

    Is a text file. The average computer user will not go and dig through log files, nor they will go around on the internet reading everything about each vulnerability that is exposed everyday. Years ago I copy pasted a similar text file to computers on a neighbourhood network, letting them know those specific folders were exposed on the local network and also been given r/w permissions. I was (and somehow still am) a humble user, passionate about tech, but I can always appreciate the heads-up. Just did what I think I'd like done if I were to accidentally share something on the local network, since although it might not be sensitive at first, mistakes are made regularly.

    1. Re:Best way to let someone know something's amiss by TWX · · Score: 2

      I thought that the best way was to put dozens of iterations of something in the run folder of their start menu. Like that "screen mate" program that launched iterations of rams that walked around on top of the windows and "munched" on GUI items, or Tiny Elvis, which would walk around on the taskbar and comment on how huuuge things were...

      --
      Do not look into laser with remaining eye.
    2. Re:Best way to let someone know something's amiss by Penguinisto · · Score: 4, Interesting

      Do be careful about that...

      I did that once, years ago, on a hotel WiFi network while traveling - I found a wide-open shared directory (I was bored, so I sniffed around, and...) The folder had a lot of rather sensitive-looking stuff laying about in it, judging by the filenames. I left a small anonymous text file asking the owner to secure the laptop in the future, and wrote out step-by-step how to do it. The next morning, I was walking by the front lobby desk when I heard a hysterical woman demanding that the staff call the cops because she'd been "hacked".

      First, last, and only time I'll ever be a good samaritan. :(

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    3. Re:Best way to let someone know something's amiss by Somebody+Is+Using+My · · Score: 4, Insightful

      Which works until you use this method to "advise" the wrong person, who contacts the cops and you end up arrested for computer trespassing. Too often we hear stories about people intending to do good are blamed for the message they bring.

      Unfortunately, there doesn't seem to be any "right" way to bring these problems to the attention of the user or the developer since the laws all seem to be unfairly balanced against the whistleblower. There is an automatic assumption that anyone providing the information could only have come upon the data because they were intending to do something malicious.

      Having said that, there are many the times I've been tempted to rename the SSIDs of wireless networks that still use WEP in some vain attempt to knock some sense into the user's head. Never gave into that impulse, but boy, sometimes it was quite a struggle.

    4. Re:Best way to let someone know something's amiss by jones_supa · · Score: 2

      I left a small anonymous text file asking the owner to secure the laptop in the future, and wrote out step-by-step how to do it.

      That wasn't very elegant way to handle that. Snooping into other people's files and telling them what to do is not cool, no matter if the objects are password-protected or not. I guess that's why the woman freaked.

      And if I were to get a little text file like that, how would I know that you didn't actually tamper something else in the process.

      I know you were just trying to help, but still...

    5. Re:Best way to let someone know something's amiss by FireFury03 · · Score: 3, Insightful

      Having said that, there are many the times I've been tempted to rename the SSIDs of wireless networks that still use WEP in some vain attempt to knock some sense into the user's head. Never gave into that impulse, but boy, sometimes it was quite a struggle.

      There are legitimate reasons for using WEP.

      I still use WEP on my home network, because I still have a few devices that simply won't reliably do anything better. I figure that this is largely ok because:
      1. Everything I do over the wireless network internally is using encrypted protocols anyway, and I wouldn't be using non-encrypted protocols for transporting sensitive data externally anyway.
      2. There are a bunch of my neighbours' completely unsecured APs visible from my house so I figure if someone is interested in cracking a wireless network, they're probably going to go for the easy option and use one of those networks rather than cracking my WEP key.

      Whilst I'm of the opinion that if an AP is left completely open, it should be legal to treat it as a public hotspot, I do still think that if you're having to crack some kind of security, however weak, in order to gain access then you need to be arrested and punished because you're clearly stepping over the line. (And yes, cracking someone's WEP key and router password in order to change their SSID counts as stepping over the line).

      --
      http://blog.nexusuk.org
    6. Re:Best way to let someone know something's amiss by FireFury03 · · Score: 2

      Cracking a WEP key takes minutes and almost zero effort if there is already traffic on the network (and a bit more if there isn't). There may be completely unsecured APs around but whether they are actually as usable as yours depends on 1) the signal quality and 2) how many others are connected to these open APs and sucking up bandwidth.

      Smashing a window and entering your home takes minutes and almost zero effort. There may be completely unsecured homes around but whether they are actually as vulnerable depends on 1) the value of anything in the home and 2) how many people are present in the open home at the time.

      My point was that placing encryption on a network, however insecure that is, demonstrates that the network is private - anyone who accesses the network has conciously broken into it in the full knowledge that they were committing a crime. Compared to an open network where there may well be no way to know that it wasn't intentionally left open as a hotspot. So, if you break into my network (however trivially) and start screwing with things like SSID settings, I'd want you to be arrested because you were knowlingly committing a crime.

      You say that everything using the network is encrypted but that is only half of the problem. The other half is somebody using your network to do (very) illegal things on the internet, all of which you would be potentially liable for. That is, unless you require VPN authentication before allowing internet access.

      Where I live, people are not criminally liable for other people's actions, so no, I wouldn't be liable for someone doing something illegal through my network.

      --
      http://blog.nexusuk.org
  3. Re:Hard drive? by SeaFox · · Score: 2

    For network accessible storage that doesn't require someone to leave a computer up 24/7 to run? The Internet accessibility is so you can get stuff from home when you're away from home.

    It's all part of giving Joe Sixpack the abilities of a techie with a FreeNAS server, without making him learn anything about computers or networking -- or security for that matter.

  4. Re:Hard drive? by Voyager529 · · Score: 2

    Shit, man - I can do that with a Raspberry Pi, a copy of FreeBSD, a multi-GB MicroSD stick, and I'd get an infinitely more secure solution to boot. :/

    No one is doubting that. I'd venture it a safe wager that nine Slashdotters out of ten can set up some form of network storage using a RasPi or a spare desktop. The reason why router-based access is handy is that most routers take roughly the same electricity as a CFL light bulb, and by definition are network accessible, either via SMB, FTP, or DLNA. You're not putting a Samba share accessible on the WAN port. It's the same principle as the Western Digital Personal Cloud drives, only without using an ethernet port. The routers also allow printer sharing for standard USB printers. As an added bonus, these routers run Transmission along with QoS - no need to leave your desktop on to run your BitTorrent downloads, and the QoS is done at the router level, so instead of the computers competing for the bandwith, the router can give the torrent downloads lowest priority, and /know/ when to flush stale TCP connections. Again, all of this is done at the router level, using whatever USB storage medium happens to be handy.

    If you don't see the utility in such a solution and would opt for the RasPi instead, then to each his own, I guess. I personally find the hard disk + router combination to be a lot more compelling.

  5. I have an Asus RT-N66U with OEM Firmware and... by mandark1967 · · Score: 2

    I don't have to worry about this, AT ALL, because the router only worked for 2.5 hours after installation before it died. so there!

    --
    Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
  6. Re:and this is why smart peiple don't touch window by the_B0fh · · Score: 4, Insightful

    You realize that open FTP servers used to be the norm? You realize that the RFC itself requires PORT to be open so that you can do a bounce attack?

    Please don't be an idiot. This stupidity has nothing to do with windows, and is clearly the fault of Asus and not anything OS related.

  7. Re:and this is why smart peiple don't touch window by aaarrrgggh · · Score: 2

    ...oh the irony.

    I have a couple of the Asus routers, and I love them. One runs as an openvpn server, the other runs a few services to simplify remote administration of an offsite location. Good little boxes.

    But, it has really opened my eyes as to how bad security can be. These systems are at least slightly more secure than the WD drives. Third party firmware adds some levels of complexity, but a whole lot of functionality.

  8. Re:Hard drive? by davester666 · · Score: 3, Funny

    Wuss.

    I can do it with a stick of gum, a hair dryer, a usb jack, an RJ45 jack, some aluminum foil, and several hamsters with a hamster wheel.

    And food for the hamsters for as long as you want the device to work.

    --
    Sleep your way to a whiter smile...date a dentist!
  9. Asuswrt Merlin ROM did NOT take care of this by tmo72 · · Score: 3, Informative

    From Merlin himself:
    http://forums.smallnetbuilder....
    He says disable aicloud and the ftpd for now.

  10. Re:and this is why smart peiple don't touch window by wonkey_monkey · · Score: 2

    I thought Asus router firmware was open source.

    has ... judgment of when and what to update.

    That's more the problem. As I understand it, the last DD-WRT vulnerability was fixed within hours (not that that'll do much good if people aren't keeping it up to date)

    --
    systemd is Roko's Basilisk.
  11. Dear IT People by ledow · · Score: 4, Informative

    Dear IT People,

    Despite what you might think in the modern day, exposing things to the Internet unnecessarily is still just asking for problems. Especially things with firmware rather than regularly- and automatically-updated software.

    Yes, we all run websites. Yes, we have RDS and VPN and all kinds of clever technology. And, yes, I'm sure you "keep it up to date" and have 28-digit passwords.

    But that doesn't change the fact that the connection that comes into your business/home is "hostile". It receives rogue packets and attacks 24 hours a day whether you know it or not. In fact, it's kind of a credit to most firewalls how LITTLE you actually notice coming down the line because it's just handling all the obvious attacks and scans all the time.

    But every port you open, everything you expose past your firewall (and even your firewall can be a problem if it's not good enough to handle unusual packets like a lot of ADSL routers that crash if they get too many connections or large packets, etc.) is a risk. Honestly. It's a risk.

    If you buy some cheap piece of commodity hardware and port-forward direct to it on the standard ports, you are relying on the security of that device to keep intruders out - not your firewall.

    If it's some cheap router, or some crappy CCTV PVR or a games console or even just a test experiment or network switch or something else in your home, then you are relying on THAT to be a secure gateway from attacks from the Internet. And guess what, the weakest link in the chain will be the first exploited.

    Please, before you go exposing this crap to the general Internet, limit its damage potential. Don't put it on your local network, but a VLAN of some kind. Don't forward every port. Don't have things like UPnP enabled (which is just automated, authentication-less port-forwarding). Put some authentication on it. Don't rely on some web interface knocked up by a foreign CCTV manufacturer, intended as a GUI for the local network to be as trusted as your firewall.

    Similarly, don't let these cheap, shit ADSL routers to be exposed to the general Internet while having all your personal files on them (and presumably running Samba, Bonjour, FTP, all kinds of shit to the local network to let you access them). Just... don't.

    You want to do this kind of thing? Use the VPN functions and make sure you keep on top of their updates and security. They will allow you to join the local network remotely, and that local network can be as insecure as you like with this cheap shit dangling off it unauthenticated if you like, as your VPN access can be secured, logged, audited and checked quite easily.

    Don't allow some piece of firmware junk, probably written in some C/Perl CGI/PHP that hasn't been updated since the day it started working enough to be saleable, to be your public face and guardian on the Internet.

    The principle applies all the way up too. Don't put AD controllers on the visible Internet. Don't let your public RDS server be the same as your DC or even on the same VLAN. Don't run IIS exposed to the world for some crappy HP utility, or external page.

    Do what those weird old tech guys used to do for decades and limit your exposure at all times. Sandboxing, VLAN'ing, permissioning, auditing. And, in the extreme, run a server OUTSIDE your home for this kind of shit. Seriously, VPS and cloud server with large storage allocations are cheap as chips nowadays. And they are kept up to date for you. And if someone compromises them, you have someone to blame AND you can be sure they haven't popped onto your home network and downloaded everything off your private laptop too.

    If some random consumer buys this crap and gets attacked, that's their problem. This is a site for damn geeks, though. We should know this kind of stuff. We should be advising against this kind of stuff. I should be able to nmap any one of you, at home or at work, and come up with nothing but a handful of secured ports running the latest software (if any

    1. Re:Dear IT People by ledow · · Score: 2

      That's the way I do things, too, but the critical first step is to secure the borders.

      My usual home setup is actually:

      Internet router (everything disabled and DMZ enabled so it merely pipes all traffic to next device without processing it, like a modem).
      - to -
      Router / firewall (which treats all external traffic as hostile).
      - to -
      Wireless AP and LAN (separate ports / numbering / VLAN)

      But even there, the Wireless has client separation (so one dodgy PC on the wireless can't see another), it's treated as "untrusted" to all my client devices (so they are providing software firewall to all traffic too) and they actually VPN into the router/firewall to do everything. Not going to get stung by all that WEP/WPA/WPA2 junk going wrong, historically they just aren't secure enough and I don't trust them.

      It blows people's minds that I can give them the wireless key and they STILL can't do anything while my computers (with their VPN keys) work just fine over it, and the performance impact is absolutely negligible even for gaming (it has to go through the same network devices anyway, and there are no more round-trips than normal, just a tiny bit of encryption at each end which on a modern machine isn't worth worrying about). I have guest wireless access which I can manually enable if people are over, and it obviously does nothing more than lets them talk out (not to the LAN).

      The router/firewall is the only device "at risk" and I take great care to make it do as little processing as possible and to separate out the networks (wireless is, again, untrusted on that router but it can access the VPN port, LAN is "trusted" and all-cabled, the only external access is via the VPN port).

      Almost no impact on my life past setup (have to install the VPN client and keys on a new computer - takes about a minute - and you're putting in WPA2 keys etc. at that stage anyway, so no big deal). The VPN auto-connects and verifies the server whenever it's on the home wireless - I don't have to click anything at all. When an authenticated device is taken outside the home, the same VPN software can connect remotely with the same keys.

      None of this MAC authentication crap - a MAC is too easily read and forged. You have to have my VPN keys (and hence, have been seen, verified and installed by me) to get anywhere. They are non-reversible, revokable, and can be limited in any number of ways (i.e. internal but not external access, external access but no file-sharing, etc.)

      The setup of the whole thing I have redone every few years when I've moved house or whatever. It never takes very long. My girlfriend has zero problems with it - it all "just works" after a one-minute VPN client/key install. I game and don't notice any problems.

      And yet, when you look at the junk in the logs that comes out of a single friend's wireless connection or bounces off from the Internet-side of things, it's scary.

  12. The FEB-12-2014 firmware fixes N66 units by rs1n · · Score: 4, Informative
    As the title suggest, the firmware update on 2/12/2014 supposedly fixes the issues. http://support.asus.com/downlo...

    ASUS RT-N66U Firmware version 3.0.0.4.374.4422
    Security related issues:
    1. Fixed lighthttpd vulnerability.
    2. Fixed cross-site scripting vulnerability (CWE-79).
    3. Fixed the authentication bypass (CWW-592).
    4. Added notification to help avoid security risks.
    5. Fixed network place(samba) and FTP vulnerability.

    Improvement:
    1. Redesigned the parental control time setting UI.
    2. Updated multi language strings.
    3. Adjusted FW checking algorithm.
    4. Adjusted Time zone detecting algorithm.
    5. Improved web UI performance.

  13. RT-N16 will be secured automatically when it dies. by compwizrd · · Score: 2

    Haven't checked into other routers, but the RT-N16 has a "warranty cap". There is a capacitor on the far right of the unit, roughly centered. It's clearly designed to fail after a period of time. The rest of the capacitors are a different brand that isn't generally known to fail, the warranty cap is known to be a defective make.

    Normally it takes a bit longer than the actual warranty length to fail.