Asus router security

[Patricia]

Love their routers performance and all but it's a security Swiss cheese. It never takes me more than 5 minutes to find a cringe worthy security hole in their system. I can't find their email or form for reporting vulnerabilities. Customer service doesn't know where to route these issues... And there's headlines after headlines on cnet, pcworld, krebs, etc on how their router keeps getting owned. There are fewer cve entries reported as well and I attribute this to folks just giving up reporting issues which is deeply concerning.

I understand systems are going to have flaws. But I'll always trust a vendor that at least makes an effort to listen and fix these issues.

First time buying asus routers and this will likely be my last after I trade this in for nighthawk. Wish things were better, i'll see if netgear is any better.

 

[joltdude]

Its not.,,

Sent from my Venue 7 3730 using Tapatalk

 

[Patricia]

Its not.,,

Sent from my Venue 7 3730 using Tapatalk

I don't think other router vendors would leave your FTP share world accessible for 8 months. http://arstechnica.com/security/201...e-been-pwned-thanks-to-easily-exploited-flaw/

Just saying....

 

[microchip]

Love their routers performance and all but it's a security Swiss cheese. It never takes me more than 5 minutes to find a cringe worthy security hole in their system. I can't find their email or form for reporting vulnerabilities. Customer service doesn't know where to route these issues... And there's headlines after headlines on cnet, pcworld, krebs, etc on how their router keeps getting owned. There are fewer cve entries reported as well and I attribute this to folks just giving up reporting issues which is deeply concerning.

I understand systems are going to have flaws. But I'll always trust a vendor that at least makes an effort to listen and fix these issues.

First time buying asus routers and this will likely be my last after I trade this in for nighthawk. Wish things were better, i'll see if netgear is any better.

Why don't you tell which security related issues you found so far? If you cannot tell that publicly, at least contact RMerlin on this forum and tell him. I'm confident he'll fix them in his custom FW

 

[Patricia]

Why don't you tell which security related issues you found so far? If you cannot tell that publicly, at least contact RMerlin on this forum and tell him. I'm confident he'll fix them in his custom FW

What about 90% of the customers that doesnt use custom firmware? As soon as Merlin checks in the fix the issue is public via git.

 

[microchip]

What about 90% of the customers that doesnt use custom firmware? As soon as Merlin checks in the fix the issue is public via git.

ASUS backports changes by RMerlin into their official firmware. But you make a good point about it becoming public. Did not think of that. Maybe Merlin can just report them back to ASUS?

 

[sm00thpapa]

I'm running .276 with out any issues. Any outside sharing of the router is turned off on my RT-N66W and RT-N66U.

 

[RMerlin]

I don't think other router vendors would leave your FTP share world accessible for 8 months. http://arstechnica.com/security/201...e-been-pwned-thanks-to-easily-exploited-flaw/

Just saying....

Anyone could have taken care of their own security, gone to the FTP page, and disabled anonymous access.

It wasn't even a security hole in the first place, it was just a bad choice of default setting. It would take 2 mins for anyone to take care of it.

 

[DaveMishSr]

Love their routers performance and all but it's a security Swiss cheese. It never takes me more than 5 minutes to find a cringe worthy security hole in their system. I can't find their email or form for reporting vulnerabilities. Customer service doesn't know where to route these issues... And there's headlines after headlines on cnet, pcworld, krebs, etc on how their router keeps getting owned. There are fewer cve entries reported as well and I attribute this to folks just giving up reporting issues which is deeply concerning.

I understand systems are going to have flaws. But I'll always trust a vendor that at least makes an effort to listen and fix these issues.

First time buying asus routers and this will likely be my last after I trade this in for nighthawk. Wish things were better, i'll see if netgear is any better.

Good luck with the Nighthawk. I have owned WiFi routers by Linksys, Netgear, US Robotics, Belkin, TP-Link, TrendNET and D-Link in addition to Asus. Asus is at the very least as good as any other manufacturer in addressing firmware issues. I feel that Asus is better than most other WiFi router manufacturers in supporting their products and will stay with them.

 

[RMerlin]

Based on the R7000 GPL archive, Netgear is using OpenSSL 0.9.7f, which goes back to 2005.

You'll be running out of choices soon if you're looking for a home gateway that's as secure as a business product.

 

[Patricia]

Anyone could have taken care of their own security, gone to the FTP page, and disabled anonymous access.

It wasn't even a security hole in the first place, it was just a bad choice of default setting. It would take 2 mins for anyone to take care of it.

When an insecure default exposes majority of its customers (using the corresponding feature) it becomes a security issue. Turning off FTP and anonymous access doesn't help you in all cases either.

Anyways, just needed to vent. I'm not looking for a perfectly secure router. It's not gonna happen. Instead my bar is much lower. I'm looking for a vendor that's at least receptive to learning about security issues in their router.

 

[Pierino]

Asus is much better than netgear is at releasing new fw. The rt-n16 has had 3 in 2014 and look how long it's been out.
The last firmware released for my netgear r6300 was in September and a lot of people on the netgear forum are complaining. Netgear doesn't care.
Good luck with that nighthawk.

 

[Patricia]

Asus is much better than netgear is at releasing new fw. The rt-n16 has had 3 in 2014 and look how long it's been out.
The last firmware released for my netgear r6300 was in September and a lot of people on the netgear forum are complaining. Netgear doesn't care.
Good luck with that nighthawk.

I have to check out where they are and what they've done. Hence I don't want to equate quantity of patches with quality. It's like saying mcdonald > 3 michelin stars restaurant because one sells more meals than the other.

But yes you're probably right, I'll probably be equally disappointed and move on to commercial routers. Point is, I'll keep searching for something better. The bar is very low so I'm hopeful.

 

[RogerSC]

I agree that the quantity of firmware versions is not a measure of quality. Asus has a way of putting out a new version of firmware to fix a specific issue, then breaking a few more things in that new version. Yes, RMerlin works hard to take care of that stuff, but you're also correct in saying that a lot of people are using stock Asus firmware.

On the other hand, fewer firmware versions isn't a measure of quality, either. Quality is good and robust performance with as few secuity issues as possible. And responding to the new security issues that come along promptly, without breaking other orthogonal functionality. Hard to find any manufacturer that's doing that. Usually it's third-parties that are able to respond more quickly, and also get quick feedback from users about the soundness of their fixes.

So, when I'm shopping for a router, I make sure that there's good third-party firmware available, or it will be available. That's been the good stuff in my experience.

 

[roscolo]

Anyone could have taken care of their own security, gone to the FTP page, and disabled anonymous access.

It wasn't even a security hole in the first place, it was just a bad choice of default setting. It would take 2 mins for anyone to take care of it.

What he said. Love Asus because they stick with a product and updates long after the release date. Good luck with netgear.

 

[Patricia]

What he said. Love Asus because they stick with a product and updates long after the release date. Good luck with netgear.

What he said doesn't block the attack. It will give you the illusion of fixing the issue though. Anyways, thanks. Will explore other gears..

 

[Pierino]

My point was that with the r6300 there is a problem of the firmware corrupting itself. I came home at least 3 times to a router with a blinking power light and had to tftp the fw. Also the only usable fw was from December 2012. Any after that had unacceptable high ping times.
Yes frequent fw updates are not an assurance of quality as sometimes "if it isn't broke, don't fix it" applies but it netgears case it's "it's broke, we don care"

 

[Adamm]

What he said doesn't block the attack. It will give you the illusion of fixing the issue though. Anyways, thanks. Will explore other gears..

I don't see what your complaining about, all known vulnerabilities have been patched on this device unless your sitting on a treasure chest of 0days.

It never takes me more than 5 minutes to find a cringe worthy security hole in their system.

By the sounds of your post, I highly doubt you have the know-how to do infosec research and are simply just rambling to make yourself seem like you have a point. The router is based on a lot of open source protocols and it is inevitable that exploits and bugs will be found.

But to break this down even further, what your complaining about is that some users configured their routers FTP daemon (which is disabled by default) to allow anonymous access (A feature that is present in all FTP daemons across all Linux distro's) due to their personal lack of knowledge and you are blaming Asus for that fact.

The only point I agree with is that this should have been denied by default due to users who don't know what their are doing (aka button pushers) which Asus rectified immediately in a firmware release due to users like yourself.

If you know of any other company who provides as many frequent updates as Asus, has the same quality of hardware and support feel free to move onto that device, otherwise post constructively or you will just get shot down by people who actually know what they are talking about.

Unfortunately Asus don't have a feature to counter stupidity, which is I believe what you are looking for.

 

[joltdude]

Patricia, you would have probably liked the sofaware/zone alarm za100g box, if you were willing to pay yearly and put up with the seat limitations

Sent from my Venue 7 3730 using Tapatalk

 

[RMerlin]

What he said doesn't block the attack. It will give you the illusion of fixing the issue though. Anyways, thanks. Will explore other gears..

No, what I said precisely blocks the "issue". As I said, the issue was exactly this: Anonymous FTP access was being enabled by default. Nothing more.

That Ars Technica article is very poorly written btw, and confuses a bunch of different issues, like the AiCloud security hole that was reported AND fixed months ago. Totally unrelated to the FTP issue that was used in that so-called Asusgate.

I saw the exact timeline of resolution for the FTP issue. It didn't take 6-8 months. It took a few weeks between the time the security outfit reported it and the release of a fixed firmware. Those article claiming 6-8 months are, once again confusing two totally unrelated issues, both of which WERE resolved within a few weeks after their report.