Asus router security

[RMerlin]

Here's an article mentioning the first series of security issues that were immediately addressed by Asus. These are the issues incorrectly associated with Asusgate:

http://www.bit-tech.net/news/hardware/2013/07/30/asus-aicloud-fix/1


EDIT: And here's the one about the FTP issue.

http://www.securityfocus.com/archive/1/531194

It took less than three weeks. Not 6-8 months...

 

[Patricia]

If anyone knows how to report new issues aka 0-days to asus please let me know by end of week. I'll be happy to report them before I move on to other routers. Merlin and Adam, I can't counter your points because doing so would require me to divulge vuln details.

 

[RMerlin]

If anyone knows how to report new issues aka 0-days to asus please let me know by end of week. I'll be happy to report them before I move on to other routers. Merlin and Adam, I can't counter your points because doing so would require me to divulge vuln details.

Use Networking_Support@asus.com. This will reach the appropriate persons.

 

[Patricia]

Already tried and haven't received a response in almost a week. It could be caught in their spam filter, maybe they don't care, I have no idea.

Since Adamm firmly believes we shouldn't be stupid and getting attacked is customers fault; I'll nominate him to find the vulns and author the firewall rules to protect us all.

All jokes aside, I'll shoot them another mail but I'm not going to waste too much more time on this.

 

[Adamm]

Already tried and haven't received a response in almost a week. It could be caught in their spam filter, maybe they don't care, I have no idea.

Since Adamm firmly believes we shouldn't be stupid and getting attacked is customers fault; I'll nominate him to find the vulns and author the firewall rules to protect us all.

All jokes aside, I'll shoot them another mail but I'm not going to waste too much more time on this.

I am a firm believer in the following;

 

[Patricia]

I am a firm believer in the following;

And put all customers using Merlin and stock fw at risk of an attack? You sir have an IQ of a cow dung.

 

[RMerlin]

Already tried and haven't received a response in almost a week. It could be caught in their spam filter, maybe they don't care, I have no idea.

Seeing the numbers of XSS and other vulnerabilities that they have been fixing the last four or five releases, I hardly doubt they don't care if the issue is real.

No idea what's their policy however, whether they actually reply to every report they get or not.

 

[jlake]

Already tried and haven't received a response in almost a week. It could be caught in their spam filter, maybe they don't care, I have no idea.

Since Adamm firmly believes we shouldn't be stupid and getting attacked is customers fault; I'll nominate him to find the vulns and author the firewall rules to protect us all.

All jokes aside, I'll shoot them another mail but I'm not going to waste too much more time on this.

I sent an email to that address 3 or 4 months ago and never got any type of response. Nothing. It went in to a black hole. Maybe you'll have better luck.

 

[jlake]

Already tried and haven't received a response in almost a week. It could be caught in their spam filter, maybe they don't care, I have no idea.

Since Adamm firmly believes we shouldn't be stupid and getting attacked is customers fault; I'll nominate him to find the vulns and author the firewall rules to protect us all.

All jokes aside, I'll shoot them another mail but I'm not going to waste too much more time on this.

The guy in the link below.....might be able to help. (Kyle Lovett)

http://www.securityfocus.com/archive/1/526942

 

[Patricia]

The guy in the link below.....might be able to help. (Kyle Lovett)

http://www.securityfocus.com/archive/1/526942

Looks like he emailed 4 times and even tried to call the development team. I just skimmed through his advisory but looks like he did a full disclosure as a last resort. So he's likely just as frustrated.

Pasting relevant sections from the advisory..

Timeline:
- Contacted Asus two weeks ago (under my online handle account) around 06/06
- Second email send on 06/10 when discovered first un-authenticated
file disclosure
- Received only one response back stating it was not an issue
- Sent a third email on 06/14
- Only response received was an acknowledgement that my email was received
- Attempted to call their development or incident team, and was told
that someone would call me back on 06/17
- Sending another email today under my real name

...
...

I was hesitant about posting so much information on this matter, but
felt that if this vulnerability is proven by others as true, the
dangers with the VPN are not negligible. Having access to people's
backup of their smart phones and C: drives is beyond troubling
...
...

 

[roscolo]

Having access to people's
backup of their smart phones and C: drives is beyond troubling
...
...

[/I]

The guy's post is almost a year old, but who is putting "backups of smart phones and C: drives" on a drive attached to a router? Want a security flaw? How about someone just comes in and walks off with the usb drive?

No way am I putting anything on that drive but media files, family photos, home movies, stuff like that, which I thought was pretty much what it is meant for. That's all I use mine for. And for that purpose it is PERFECT. Best home media storage / playback method I've ever had. No way am I putting any sensitive info. or my business or customer info. on a drive plugged into a router, no matter what brand the router is. If you have a business obviously you should not be using a drive attached to an inexpensive consumer router to store sensitive customer or business data. Not what it's for (not how the router is marketed either). Not so much worried about exploits as EVERYTHING can be hacked, but the easier path is the same way most ID's get stolen: criminal walks off with the actual HD, the actual smart phone, purse, wallet, mail, or laptop.

 

[Patricia]

The guy's post is almost a year old, but who is putting "backups of smart phones and C: drives" on a drive attached to a router? Want a security flaw? How about someone just comes in and walks off with the usb drive?

No way am I putting anything on that drive but media files, family photos, home movies, stuff like that, which I thought was pretty much what it is meant for. That's all I use mine for. And for that purpose it is PERFECT. Best home media storage / playback method I've ever had. No way am I putting any sensitive info. or my business or customer info. on a drive plugged into a router, no matter what brand the router is. If you have a business obviously you should not be using a drive attached to an inexpensive consumer router to store sensitive customer or business data. Not what it's for (not how the router is marketed either). Not so much worried about exploits as EVERYTHING can be hacked, but the easier path is the same way most ID's get stolen: criminal walks off with the actual HD, the actual smart phone, purse, wallet, mail, or laptop.

Great to exercise caution.. Especially when using asus wrt. I don't think Asus recommends what you can and can't store. In fact they advertise AI Cloud as your "own secure space".

I get the whole physical security angle but that's orthogonal to this discussion. You can easily mitigate some of the risk by encrypting the backup.

To use an analogy you probably don't go around sharing your Bank account online just because someone can break in to your home and steal it.

 

[Adamm]

I think its time for this thread to be closed, all your currently doing is referencing old information which is just going to confuse others.

If you have any actual security concerns contact Asus directly or even Merlin so they can patch their firmwares respectively. So far you have yet to provide any proof what so ever that you have found any 'security holes' and without a POC this is just useless discussion of old topics and uneducated bashing.

 

[Patricia]

I think its time for this thread to be closed, all your currently doing is referencing old information which is just going to confuse others.

If you have any actual security concerns contact Asus directly or even Merlin so they can patch their firmwares respectively. So far you have yet to provide any proof what so ever that you have found any 'security holes' and without a POC this is just useless discussion of old topics and uneducated bashing.

Is there a way to keep this clown from "contributing" here? Please go read up on coordinated disclosure policies before you demand PoCs in public forums.

I contacted asus already and didn't get a response. So that's done.

Happy to close this thread if that makes you feel like you're accomplishing something. Small minds small pleasures.

 

[thiggins]

I have been asked to close this thread. But after reading through, there are good points made on both sides and it is a worthwhile discussion, so I am leaving it open.

But please stay on topic, use facts and refrain from name calling. I have removed a few posts accordingly.

 

[hggomes]

http://nullfluid.com/asusgate.txt

I guess Patricia is right about it, this is not acceptable from ASUS.

 

[L&LD]

My take on this 'issue' is that if you're online; you're susceptible even when using business or commercial grade products - just look at all the stories lately about the big guys getting hacked.


Manufacturers are there to sell. The case of buyer beware is still alive and well.

Complaining about single manufacturer (in this case Asus) and spreading false information (sorry Patricia, but that is no way to make your case) and even bringing up ancient 'proof' about the issue will also not help.


I don't see this as an issue at all: security (or not) is up to the individual.

When you hook up your equipment to a WAN, all bets are off.

This is not to say I don't want bullet proof security; just seeing this as a realist.


Security on line may be possible 'now', but 'right now' it's possible that your previous security just got blown to bits by a 14 year old with ideas that were not preconceived of what is or is not possible with a few bits of code (and/or relying on the ignorant nature of most of us).

As a Yiddish quote states: "Against stupidity; God Himself is helpless."


I respectfully disagree with Tim on this issue: this thread should be locked.

 

[netware5]

My take on this 'issue' is that if you're online; you're susceptible even when using business or commercial grade products - just look at all the stories lately about the big guys getting hacked.


Manufacturers are there to sell. The case of buyer beware is still alive and well.

Complaining about single manufacturer (in this case Asus) and spreading false information (sorry Patricia, but that is no way to make your case) and even bringing up ancient 'proof' about the issue will also not help.


I don't see this as an issue at all: security (or not) is up to the individual.

When you hook up your equipment to a WAN, all bets are off.

This is not to say I don't want bullet proof security; just seeing this as a realist.


Security on line may be possible 'now', but 'right now' it's possible that your previous security just got blown to bits by a 14 year old with ideas that were not preconceived of what is or is not possible with a few bits of code (and/or relying on the ignorant nature of most of us).

As a Yiddish quote states: "Against stupidity; God Himself is helpless."


I respectfully disagree with Tim on this issue: this thread should be locked.

I fully agree with you. There is no protection against user's ignorance of basic security rules. The router is equipped with all necessary protection instruments, so users are fully responsible for any security issues raised from so called "FTP server bug".

 

[Patricia]

It seems folks here are perfectly content using an insecure router. Enjoy the vulns folks because they're not going away by closing your ears and pretending it's not there. Blame the guy raising the concern, the customers, and everyone but asus because that's how we solve problems around here.

I really don't understand why folks treat their router like its their first born.

Folks it's a router, it's an appliance, and nothing more. Treat it as such and be objective and ask yourself this. Neither Patricia, Kevin Lovett, or others had much success reporting vulns to asus. Does something need to change?

If your answer is no, then that's fine so long as you accept the consequence when the worst happens. For your sake I'd treat any lan traffic as publicly viewable and not store or transmit anything sensitive on your network.

I'm done with this forum and i sincerely don't give two cents about asus routers now, thanks guys.

 

[netware5]

It seems folks here are perfectly content using an insecure router. Enjoy the vulns folks because they're not going away by closing your ears and pretending it's not there. Blame the guy raising the concern, the customers, and everyone but asus because that's how we solve problems around here.

I really don't understand why folks treat their router like its their first born.

Folks it's a router, it's an appliance, and nothing more. Treat it as such and be objective and ask yourself this. Neither Patricia, Kevin Lovett, or others had much success reporting vulns to asus. Does something need to change?

If your answer is no, then that's fine so long as you accept the consequence when the worst happens. For your sake I'd treat any lan traffic as publicly viewable and not store or transmit anything sensitive on your network.

I'm done with this forum and i sincerely don't give two cents about asus routers now, thanks guys.

Thank you very much indeed.