Asus Router Security Blunders

mysticsniper · 25 Feb 2016 at 11:26

An embarrassing state of affairs for Asus. :eek:

Hard to believe that the size of this company has such poor security on their products.

https://www.ftc.gov/news-events/pre...rges-insecure-home-routers-cloud-services-put

zoomee · 25 Feb 2016 at 11:34

grrr - Asus have a lot to account for recently with their router updates!. They were lucky they had RMerlin to help address stuff but he's dwindled down his output now due to health problems.

randal · 25 Feb 2016 at 11:37

Yeah this is one of the reasons why I ditched my N56U and went for pfSense, too many vulnerabilities popping up.

mysticsniper · 25 Feb 2016 at 11:40

These are my favs discovered :eek:

1. Default Username & Password: ADMIN
In 2014, a serious security issue had been brought to the public regarding the default password of Asus products. It was discovered that Asus had been shipping their routers with both Username and Password fields with "default" as preset.
Even a script kiddie with this predictable credential could gain the unauthorized access to any router and hack into victim’s network. In 2014, many Asus routers were compromised in such a manner.
Additionally, Asus did not bother to notify its customers to change the default usernames and passwords in order to maintain the security and privacy of their network.

2. Easily Hackable Router Admin Panel
During the investigation, the FTC uncovered that nearly all the security measures taken by Asus had been dodged.
One of the prevalent security vulnerability uncovered that allowed hackers to gain the admin panel and disable the security settings via the web interface.

3. Asus AiCloud & AiDisk Vulnerable to Remote Hacking
"Security Negligence" episodes of Asus are not yet over.
The cloud service offered by Asus named AiCloud and AiDisk also suffered from the critical vulnerabilities that allowed an attacker to access your Hard Disk remotely from any part of the world, resulting in complete system compromise.
AiCloud offers the customer to browse through the files (in a cloud) that facilitate users to use it as a mini-cloud after plugging the USB Hard drive into the router.
Man-in-the-Middle (MITM) attacks were easy to get executed in between because the login details were unencrypted during the transmission.
The issue had been reported back in January 2014, but ASUS did not advise its users to upgrade their firmware after patching up the vulnerability, which shows the clear case of negligence.

4. 'Check for Upgrades' is an Illusion
Regular updates are usually a vulnerability killer in all aspects. But it is different in the case of Asus.
According to the collective reports, FTC found that the button named "Check for Upgrades" is just a dummy without any special functions embedded.
It is believed that the administrators did not import the latest patches into the Upgrade database; making it available for its users via push; whenever a user scans for any notifications.

Orcvader · 25 Feb 2016 at 11:56

Hopefully this will give Asus a massive wakeup call. I have all the cloud stuff disabled as I don't use that, and changed the password so I hopefully should be fine on that...

The check for updates button has always bugged me, it never worked on my old RT-N53 even though I could clearly see a new firmware on the Asus site. It seems to be working so far for more RT-AC68U though.

zoomee · 25 Feb 2016 at 13:12

20 years of Security audits will force Asus to pull their finger out.

On a side note - why did they pick on just Asus? - surely theres plenty of router manufacturers out there that do worse!

Rroff · 25 Feb 2016 at 13:17

There are definitely a lot worse but they are smaller names than Asus - even today on some routers it is quite trivial to get to the web page for flashing a new firmware if you know a specific URL string.

I have all WAN services disabled and cloud functionality disabled on mine so hopefully nothing too vulnerable to outside attack.

zoomee · 25 Feb 2016 at 13:45

Same ere bud - all that Ai poop is disabled on mine as standard.

Most of the suggestions are down to things like user education I'd say. I'm 100% sure that other manufacturers don't force you to do stuff like change your default password etc too.

Looks to me like the FTC have a bug to bear with Asus - Last time they got done was for having too much power available to WIFI setups, now its security.

Maybe they just upset that Asus havn't bent over and given them a back door to kick in whenever they feel like it

bledd · 25 Feb 2016 at 14:12

Move to Ubiquiti Edgerouter Lite + any switch + Ubiquiti unifi access point

KIA · 25 Feb 2016 at 19:19

bledd. said:
Move to Ubiquiti Edgerouter Lite + any switch + Ubiquiti unifi access point

Ubiquiti is far from perfect.

Consumer router security has always been a joke.

APM · 25 Feb 2016 at 20:37

What about custom distros with Asus routers?

zoomee · 26 Feb 2016 at 10:13

TBH most of these 'security issues' were resolved a while back. They were identified back in 2014 and resolved with various patches and new firmware during 2015.

It's a non-issue really for owners of Asus routers but I personally think its highly unfair that Asus was singled out for this - Lets see the security results for other manufacturers......

Asus - X
• Belkin
• Billion
• Buffalo
• D-Link
• ****
• Dynamode
• Edimax
• Linksys
• MSI
• Netgear
• On Networks
• Sitecom
• Sweex
• Thomson
• TP-LINK
• TRENDnet
• US Robotics
• Zyxel

I'd say the likes of Thompson and TP-Link have more routers here in the UK as they are the de-facto standard supplied by most Internet providers. Most people don't change their standard router.

KIA · 26 Feb 2016 at 18:00

APM said:
What about custom distros with Asus routers?

There's potential for the situation to be just as bad.

Some of the custom firmware strip out the cloud stuff, which is a big bonus.

Use the latest firmware version
Change the default admin password
Don't enable WAN administration (SSH, FTP, Web UI)
Don't enable WPS
Don't disable the router's firewall
Disable UPnP

If I were using the official ASUS firmware, I'd disable the cloud features.

Werewolf · 26 Feb 2016 at 18:23

KIA said:
There's potential for the situation to be just as bad.

Some of the custom firmware strip out the cloud stuff, which is a big bonus.

Use the latest firmware version

Change the default admin password

Don't enable WAN administration (SSH, FTP, Web UI)

Don't enable WPS

Don't disable the router's firewall

If I were using the official ASUS firmware, I'd disable the cloud features.

That's pretty much the same as every router I've ever seen.

Isn't this the same sort of thing (except it used to be about Wireless passwords mainly) that has been going on since day 1 of home routers.

I'm sure I remember the fuss about default passwords going back at least ten years.

APM · 27 Feb 2016 at 16:06

KIA said:
There's potential for the situation to be just as bad.

Some of the custom firmware strip out the cloud stuff, which is a big bonus.

Use the latest firmware version

Change the default admin password

Don't enable WAN administration (SSH, FTP, Web UI)

Don't enable WPS

Don't disable the router's firewall

If I were using the official ASUS firmware, I'd disable the cloud features.

That's about where I am so no worries.

joeyjojo · 27 Feb 2016 at 18:24

Werewolf said:
That's pretty much the same as every router I've ever seen.

Right. I'd be more worried about exploits in features one does want enabled, e.g. that upnp one the other year.

KIA · 28 Feb 2016 at 17:05

It goes without saying that UPnP should be disabled if you're looking to make the router and local network as secure as possible. I don't want any application on my LAN to allow traffic through my router without my say so. I've updated my list, thanks for reminding me.

Is convenience going to trump security?