Asus Routers

SpellowHouse said:
they have a very comprehensive array of features, and they are the same from one router to the next so you know what you are getting
Click to expand...
You basically just described OpenWRT.
SpellowHouse said:
but honestly didn't understand the language and found the configuration really hard going. And my supplier, Zen, will not support "other routers" any more. And before anyone says it, I don't want to learn it either. I have better ways to spend my time.
Click to expand...
I'm not kidding you can literally setup an OpenWRT router wifi and stuff in like 3 clicks (max 2 minutes even if never done it before) then never have to open up the router page again, unless you want to update the firmware.

Go to 10:57 here until 12:30 as an example:

That is all you do. That covers how to setup PPPoE (if your ISP needs it) and Wifi config via GUI.

It can get even easier where you literally don't even have to access the router interface at all after you flash the OpenWRT image to the router (usually via stock firmware webpage). On the firmware selector page of OpenWRT, select your router, then click "Customize installed packages and/or first boot script" then the little cogwheel. It will auto setup PPPoE and wifi for you with what credentials you want. Click request build and that's it.

We also haven't even talked about price yet. Imagine spending £200 on any brand router when a router capable of running OpenWRT will do the exact same job for £20 and consume less power.
 
Last edited:
Ice Tea said:
I haven't used OpenWRT for years. Have they resolved the issue of poor WiFi speeds and higher CPU loads due to lacking access to the proprietary ASIC accelerators on consumer routers?
Click to expand...
Yes and no. The main wifi 6 socs with the best support right now are MediaTek because the wifi drivers are fully open source. Speed wise they are fine. People are getting over a gig wireless if the conditions are right. MediaTek (starting with the MT7621 SOC found in these £20ish routers) also has proper software and hardware flow offloading support. You can route a gig with like 2% CPU load on a 880 Mhz SOC.

The second most popular is Qualcomm wifi 6 and that's where the no comes in. The open source qualcomm drivers work but from my limited looking they top out around 600 Mbps wireless. To get around this people make special builds with NSS closed source drivers and they basically match MediaTek for speed but they also have slightly lower wifi latency. I actually ordered 2 Qualcomm OpenWRT capable devices last week to do some testing myself with mesh.

So basically speed is not a problem now thanks to MediaTek and if you can live with closed source wifi drivers, Qualcomm also good.
 
Last edited:
ChrisD. said:
That's because they are paid reviews, or reviews by people who have zero clue about what they're talking about. Plenty of alternatives have been mentioned in this thread - UniFi, OPNsense etc, you ignore them.
Click to expand...

I'm not ignoring them at all. Most of them are too low spec and the one that is pretty interesting is quoted as "the loudest router I have ever heard" by several owners.

I am sure that I will find something, but that's not really the point. The point is that this sub-forum tends to be the worst for concentrating on attacking peoples choices rather than being constructive.
 
Last edited:
SpellowHouse said:
The point is that this sub-forum tends to be the worst for concentrating on attacking peoples choices rather than being constructive.
Click to expand...
What a silly thing to say. By that logic, you could be a P Diddy fan and nobody should point out that by continuing to buy and support the crap he put out, you are supporting an abuser with a long and well documented history of abuse that any reasonable person would be appalled by, and anyone who does has to then suggest non rapey/abusive music for you.

It’s not anyone else's job to find you something else to buy, you’re basically buying OWRT in an expensive dress anyway, and this is, or at least was a hardware enthusiasts community, and the networking sub section of that, if you know enough to want to run a third party router, you can make better choices, but please don’t try and blame others for your lack of willingness not to buy garbage, thats 100% you.
 
SpellowHouse said:
I am sure that I will find something, but that's not really the point. The point is that this sub-forum tends to be the worst for concentrating on attacking peoples choices rather than being constructive.
Click to expand...
lol. there's a difference between criticising someone's choices for subjective choices (like Intel is bad, go AMD) and objective reasons (like recommending products from a brand that have major security flaws).

If I tell someone to buy brand X and that brand has known issues with security flaws and that someone gets hacked and their data is stolen, they would be rightfully upset.

You can choose whatever brand you want but you can't make recommendations where you know there are problems so running around claiming that you are the victim here is not going to work and as much as you are free to your own opinion, you are also free to be criticised for said opinion.

A lot of people on this forum have years of experience in the industry and will yet gladly yield where there are facts that they are not aware of, maybe be one of these people?
 
ChrisD. said:
More Asus positivity.

arstechnica.com

Thousands of Asus routers are being hit with stealthy, persistent backdoors

Backdoor giving full administrative control can survive reboots and firmware updates.
arstechnica.com arstechnica.com
Click to expand...
I mean, yeah it doesn't look great, but, it's essentially a new report of an old CVE

This article is about the malware itself, not about a new security issue. It's getting installed through brute forcing of the login, or through old security issues (one of which is from 2023 - which has been long fixed).

Another reminder to keep everything up to date and replace EOL equipment.
 
Last edited:
Was it ever confirmed if Merlin had anything to do with Asus, or if he is just some chap that like to have a firmware fiddle in his bedroom?
 
Last edited:
superleeds27 said:
I mean, yeah it doesn't look great, but, it's essentially a new report of an old CVE

This article is about the malware itself, not about a new security issue. It's getting installed through brute forcing of the login, or through old security issues (one of which is from 2023 - which has been long fixed).

Another reminder to keep everything up to date and replace EOL equipment.
Click to expand...

It's an authentication bypass that Asus are responsible for, chained to a patched CVE which then provides persistent SSH access. Asus's firmware updates don't remove the SSH changes, and as far as I can tell there has been no mass communication from their side of "patch your router and then factory default it", so it's totally fair to lay the blame with Asus. One of the models is the RT-AX55 (https://www.asus.com/networking-iot...ries/rt-ax55/helpdesk_bios?model2Name=RT-AX55), where's the notice that there's a problem with it and it needs defaulting? There's no mention of any critical security flaws that have been resolved in the change log, so how are users meant to know about them? The technical writeup contains a review of some of the code that Asus are curling out, and it contains:

Authors Note: While not directly relevant to our current investigation, --no-check-certificate on the wget command means that your Google OAuth token is sent to a remote server without validating the SSL/TLS certificate. This has implications.
Click to expand...

This is most likely because they don't want it to fail when the clock is set incorrectly because they are too lazy to handle that condition and suggest that the user might want to check the time, but it means that anyone can MITM the OAuth token because the router will just ignore cert errors. This stuff doesn't happen in a professional development environment, but it absolutely happens when people throw any old crap together until it compiles without errors and then ships it.

You can't sell things and pretend they're not your problem. I would like to see more ISPs suspending service where compromised devices are connected, only when Asus and others get a reputation for being the router that gets your connection turned off every couple of years will there be any incentive to change. That or an import ban.
 
Last edited:
Caged said:
It's an authentication bypass that Asus are responsible for, chained to a patched CVE which then provides persistent SSH access. Asus's firmware updates don't remove the SSH changes, and as far as I can tell there has been no mass communication from their side of "patch your router and then factory default it", so it's totally fair to lay the blame with Asus. One of the models is the RT-AX55 (https://www.asus.com/networking-iot...ries/rt-ax55/helpdesk_bios?model2Name=RT-AX55), where's the notice that there's a problem with it and it needs defaulting? There's no mention of any critical security flaws that have been resolved in the change log, so how are users meant to know about them? The technical writeup contains a review of some of the code that Asus are curling out, and it contains:



This is most likely because they don't want it to fail when the clock is set incorrectly because they are too lazy to handle that condition and suggest that the user might want to check the time, but it means that anyone can MITM the OAuth token because the router will just ignore cert errors. This stuff doesn't happen in a professional development environment, but it absolutely happens when people throw any old crap together until it compiles without errors and then ships it.

You can't sell things and pretend they're not your problem. I would like to see more ISPs suspending service where compromised devices are connected, only when Asus and others get a reputation for being the router that gets your connection turned off every couple of years will there be any incentive to change. That or an import ban.
Click to expand...

That's fair. I did read through some of the technical stuff but majority of it was over my head. Like you say, if they haven't communicated that you need to wipe the router (because the update itself can't remove the issue) then i agree, that's poor.

What's the alternative, UCG-Ultra and a U6-Pro (or two)?
 
It seems like a key component of the vulnerability is that it's persistent, and I can't see anywhere in those Asus advisories that you need to factory default the device. They could have built detection logic into the patch to clear out the SSH config, and they also didn't do that.
 
Last edited:
Caged said:
It seems like a key component of the vulnerability is that it's persistent, and I can't see anywhere in those Asus advisories that you need to factory default the device. They could have built detection logic into the patch to clear out the SSH config, and they also didn't do that.
Click to expand...
The way they have handled it is completely inadequate and downright irresponsible especially considering they cater to the lamen. The average person will just update the firmware and think that's it. I mean it's criminal not to mention in the chagelog at least that extra steps are required.
 
John24 said:
The way they have handled it is completely inadequate and downright irresponsible especially considering they cater to the lamen. The average person will just update the firmware and think that's it. I mean it's criminal not to mention in the chagelog at least that extra steps are required.
Click to expand...
C'mon, this is ASUS, the fact they actually bothered to patch it, even if they only half arsed it and didn't follow anything resembling the accepted process (which doesn't at all feel like it being swept under the carpet) is massive progress, if anything, long term victims users should be grateful, or even celebrate this for the clusterduck of stupidity joyous event it is!
 
Last edited:
Ice Tea said:
Was it ever confirmed if Merlin had anything to do with Asus, or if he is just some chap that like to have a firmware fiddle in his bedroom?
Click to expand...

Just shows how long I've been out of the loop, as this was finally answered back in 2019. He did seem to have a lot of in-house knowledge about Asus, which is why some people speculated about his association.

sourceforge.net

April 2019, “Community Choice” Project of the Month – Asuswrt-Merlin - SourceForge Community Blog

For our April 2019 “Community Choice” Project of the Month, the community elected Asuswrt-Merlin, an alternative firmware for Asus wireless routers. Developer Eric Sauvageau shared some thoughts about ...
sourceforge.net sourceforge.net


SF: What was the first big thing that happened for your project?
ES: I’d say the first time I was in contact with Asus, who said they were aware of my project, and wanted to see how they could possibly help me continue to develop this project. Over the following months our relationship grew, making easier for my project to grow, and also helping motivate me in going forward, as I knew I had interest from both the manufacturer, and the end users. They also greatly helped the project grow in scope by providing me hardware samples of new routers they released over the years, allowing me to implement support for these new devices. Now, I have contacts with multiple members from their development and management team back at their Taiwanese HQ. It’s a relation that benefits both parties, as a number of users have mentioned buying Asus routers specifically because of this firmware project of mine.


SF: What helped make that happen?
ES: Possibly a bit of chance, as I had contacted them during the early days of the project to ask something about the firmware code, and also provide them with bug fixes I had developed on my own end. I was surprised one day to find out they even acknowledged my contribution in the changelog posted on their support site along with a new firmware release that included my submitted fixes. I’d say what really helped was their own openness to this project, something I’m not sure I might have found with other manufacturers. I know a fellow developer who does something similar to me but for another well known manufacturer, and he never could get them to really collaborate with him, even making his work harder than it should be at times. So, I was possibly a bit lucky in having picked a very open manufacturer.
Click to expand...
 
You must log in or register to reply here.
Back
Top Bottom