Recent content by Patricia
-
P
FTC Dings ASUS For Selling 'Secure' Routers.
Not sure if that helps as all brands suck when it comes to securing their router firmware. It's a bit ridiculous exploits that stopped working in the 90s stills work on many routers. I hope the FTC or whoever has the authority cracks down on all vendors. If they need to make an example out...- Patricia
- Post #78
- Forum: ASUS Wireless
-
P
FTC Dings ASUS For Selling 'Secure' Routers.
Not trying to be mean but you're some random dude on the Internet. I'd be happy to prepare a shiny deck and PoC to give you a crash course on past CVEs, non-public vulns fixed without CVEs, walk through the exploits with step by step explanation, and also educate you on how the severity ratings...- Patricia
- Post #76
- Forum: ASUS Wireless
-
P
FTC Dings ASUS For Selling 'Secure' Routers.
They need to pay someone to do this job ;). Besides, if there are 0-days it would do more harm than good posting this in a public forum. I did hear from my friends that custom wrts have additional features in this area that stock wrt doesn't. So it's probably worth digging into that. But...- Patricia
- Post #74
- Forum: ASUS Wireless
-
P
FTC Dings ASUS For Selling 'Secure' Routers.
Your asuswrt had web end points to initiate things like tracert, pings, etc. the uri for the endpoint looked like this (Simplified explanation to approximate the issue): http://router_ip/command.ext?cmd=ping&arg=dest_ip. The router then just concatenated the cmd and arg and called system on...- Patricia
- Post #72
- Forum: ASUS Wireless
-
P
FTC Dings ASUS For Selling 'Secure' Routers.
Good way to raise the bar but it doesn't protect you from things like command injections and memory corruption flaws which may not do auth in time. At any rate, I think the FTC gave all vendors a nice wake up call. A great step in the right direction for consumers.- Patricia
- Post #70
- Forum: ASUS Wireless
-
P
FTC Dings ASUS For Selling 'Secure' Routers.
I need to see if they fixed this but it used to be possible to turn remote on when it was off from the Internet. Also keep in mind, most attacks can use your browser as a bridge to proxy malicious request from Internet to appear as if it's from the local Intranet... Hint, it's spec'ed...- Patricia
- Post #67
- Forum: ASUS Wireless
-
P
FTC Dings ASUS For Selling 'Secure' Routers.
Right, nothing will likely have perfect security. What I meant earlier was the first step to fixing a problem is to stop being in denial about it. Then to formulate a plan to make things better. What this translates to is having a reasonable SLA for addressing security issues and having a...- Patricia
- Post #61
- Forum: ASUS Wireless
-
P
FTC Dings ASUS For Selling 'Secure' Routers.
How about spending less time pointing fingers and doing what matters? Does the custom wrts have a process for discretely reporting bugs? As a consumer I only care that the information on my network stay private.- Patricia
- Post #59
- Forum: ASUS Wireless
-
P
Asus router security
It seems folks here are perfectly content using an insecure router. Enjoy the vulns folks because they're not going away by closing your ears and pretending it's not there. Blame the guy raising the concern, the customers, and everyone but asus because that's how we solve problems around here...- Patricia
- Post #39
- Forum: ASUS Wireless
-
P
Asus router security
Is there a way to keep this clown from "contributing" here? Please go read up on coordinated disclosure policies before you demand PoCs in public forums. I contacted asus already and didn't get a response. So that's done. Happy to close this thread if that makes you feel like you're...- Patricia
- Post #34
- Forum: ASUS Wireless
-
P
Asus router security
Great to exercise caution.. Especially when using asus wrt. I don't think Asus recommends what you can and can't store. In fact they advertise AI Cloud as your "own secure space". I get the whole physical security angle but that's orthogonal to this discussion. You can easily mitigate some...- Patricia
- Post #32
- Forum: ASUS Wireless
-
P
Asus router security
Looks like he emailed 4 times and even tried to call the development team. I just skimmed through his advisory but looks like he did a full disclosure as a last resort. So he's likely just as frustrated. Pasting relevant sections from the advisory.. Timeline: - Contacted Asus two weeks ago...- Patricia
- Post #30
- Forum: ASUS Wireless
-
P
Asus router security
And put all customers using Merlin and stock fw at risk of an attack? You sir have an IQ of a cow dung.- Patricia
- Post #26
- Forum: ASUS Wireless
-
P
Asus router security
Already tried and haven't received a response in almost a week. It could be caught in their spam filter, maybe they don't care, I have no idea. Since Adamm firmly believes we shouldn't be stupid and getting attacked is customers fault; I'll nominate him to find the vulns and author the...- Patricia
- Post #24
- Forum: ASUS Wireless
-
P
Asus router security
If anyone knows how to report new issues aka 0-days to asus please let me know by end of week. I'll be happy to report them before I move on to other routers. Merlin and Adam, I can't counter your points because doing so would require me to divulge vuln details.- Patricia
- Post #22
- Forum: ASUS Wireless