1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

ASUS RT-AC87U WPA2 key cracked in 2 seconds

Discussion in 'ASUS AC Routers & Adapters' started by zerodegrekelvin, Apr 29, 2015.

  1. skypx

    skypx Regular Contributor

    Joined:
    Mar 31, 2013
    Messages:
    60
    Location:
    Germany
    So true!
     
  2. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,328
    Location:
    San Diego, CA
    Whether it is WPS on your WLAN or SSH onto the internet, always consider your network under constant and persistent attack... watch out what one has open...

    Whether it is a router/nas/desktop - there are those that are working hard to break the locks...

    Case in point... this is on a full-blown linux box I use to jump in, and it's on a non-standard port, and we've got sshd pretty much locked down, but still, there's people wiggling the doorknob...

    For an embedded linux distro like what most home/small business routers/NAS boxes use, they're toast if services are opened up...

    In the words of Don Draper... "Limit your exposure" (SE301 fwiw)

    sfx

    2015-05-02 00:02:14,792 fail2ban.actions: WARNING [ssh] Ban 71.13.204.170
    2015-05-02 00:16:50,473 fail2ban.actions: WARNING [ssh] Ban 43.255.190.134
    2015-05-02 00:17:21,526 fail2ban.actions: WARNING [ssh] Ban 43.255.190.133

    [trimmed this post - 050615 - sfx2000{
     
    Last edited: May 6, 2015
  3. zerodegrekelvin

    zerodegrekelvin Regular Contributor

    Joined:
    Apr 29, 2015
    Messages:
    56
    Location:
    Montreal, Canada
    Did you try to geoip all the attacker :cool: it would be interesting stats.
     
  4. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,328
    Location:
    San Diego, CA
    Most of it is from dedicated server farms in China... nothing new here. They're looking for loose edges to attack against...

    Looking at the auth.logs, all the SSH attempts are pretty simple, although it's across all ports for that protocol - it's brute force at an interesting scale..
     
    sentinelvdx likes this.
  5. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,328
    Location:
    San Diego, CA
    The takeaway is always have strong passwords (or better yet, use keys instead), and make damn sure that root login is disabled.

    90 percent of the attempts are for root, the rest scatter about different default service logins...
     
  6. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,391
    Location:
    Canada
    For one of my customers, this was a headache for a while because their servers would stop accepting any login attempt for a couple of minutes due to the high volume of attempts within a small period of time (I think it was PAM throttling things, I don't remember for sure). This was causing Nagios to trigger false alerts on SSH being down. In the end we simply moved SSH to a non-standard port, which resolved that particular issue.

    On my work's server I use CSF. Far more flexible than fail2ban, and works more reliably too. Our Linode gets constantly hammered on various service ports, despite me flat out blacklisting a few networks from China. I also added a custom rule in CSF to block all those YLMF-PC based intruders hitting my SMTP server.
     
  7. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,328
    Location:
    San Diego, CA
    Yep - and for the info of spectators on the thread - CSF == http://configserver.com/cp/csf.html

    Pretty slick tool for hosted enviroments..

    The issues with your customers and ssh - basically the bots were sucking up all the ssh startups, so one has to wait - depends on how openSSH is configured and how one whitelists hosts with wrappers... kill the bots before they hit PAM..

    Anyways... getting back to the embedded space, one really needs to review the default configs for Dropbear - OpenWRT is pretty permissive there, and a lot of router BSP's pull the same config...

    config dropbear
    option PasswordAuth 'on'
    option RootPasswordAuth 'on'
    option Port '22'

    Anybody see what's a bit of a concern?
     
  8. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,391
    Location:
    Canada
    Password auth and ports can be changed through the webui with my firmware. Allowing root logins does make sense, because those routers only have one single user - the root one. And as long by default they are still only exposed to the LAN (that's at least the default with my FW, no idea about OpenWRT), this isn't an issue. If you have someone on your LAN side trying to hack your router's SSH access, you have bigger issues to resolve.
     
  9. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,328
    Location:
    San Diego, CA
    Goes back to what I was saying about security being baked in, not added on - since root is the only login, and that user has access to everything, that is a clear design issue.

    Looking forward, might be better to actually assign users to various services, for example, samba for smb servicces, webadmin for the web server, etc... and then disable root login, forcing users to have to su- over on the ash shell (ash is the shell for busybox). This was a key feature in my designs, where there are clear roles and activities, along with access separation.

    Anyways, one of the cool things about Dropbear is that there can be mutltiple instances, bound to different interfaces, so one can bind the lan ports to one instance, and other to the WAN port, like below just as an example:

    config dropbear
    option PasswordAuth 'on'
    option RootPasswordAuth 'on'
    option Port '22'
    option Interface 'lan'

    config dropbear
    option PasswordAuth 'on'
    option Interface 'wan'
    option Port '2022'
     
  10. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,391
    Location:
    Canada
    This implies rewriting the whole firmware from scratch. Not gonna happen. There are far more important issues that would warrant such a redesign from the ground up, and they aren't enough either to justify the high cost that would be associated with such a major undertaking. Unless you'd be willing to ask Cisco-pricing for an entry level home router. There's a reason why Cisco sells 1000$+ routers, but Asus/Netgear/DLink offers 30$ products. Software development + support does carry a fairly high cost. That's why most manufacturers go down the cheapest route, which is either doing minor changes to the SoC provider's SDK (like most Broadcom-based products), or reuse an existing solution (Asus went with Tomato, Securifi went with OpenWRT, etc...) and work on top of these.

    My door lock isn't rated to protect my bank, but it's "good enough". The same applies to home routers here IMHO. Security is always about achieving a balance between cost and result, relative to the specific application where this would apply. I wouldn't secure a bank with a 20$ door lock any more than I would secure my home door with a 500$ lock.

    Having SSH default to "disabled" is perfectly fine security-wise. If you enable it, then it's your job to configure it - the settings are right underneath the option you clicked on to enable it. So from a security stand point, this is sound security: disabled by default.
     
    Last edited: May 4, 2015
    Pierino likes this.
  11. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,391
    Location:
    Canada
    There's IMHO a mass hysteria building up these days regarding security. Mozilla recently announced that they intended to start disabling specific features if you visit a website that's not https, and that the whole planet should move to https. I'm sorry, but I ain't gonna pay 250$ a year for a SSL certificate for my personal website, nor will I start re-issuing a new certificate every 60 days because I opted to go with a free solution which limits validity to a few months.

    Plus, SNI support is half broken with the hosting company that has my website. Search engines are reporting all sort of weird domain names returning with my website's content because of this. From a SEO's point of view, this is a nightmare.

    And finally, SSL encryption does carry a performance penalty. If public websites were to all switch to SSL being enforced, some of these would need to upgrade their infrastructure, or we'd be facing a generalized slowdown of the web.

    We're going from "not enough" to "too much" these days. Knee-jerk reaction IMHO. The correct response lies in the middle.
     
    sentinelvdx and Pierino like this.
  12. W4RH34D

    W4RH34D Regular Contributor

    Joined:
    Nov 13, 2014
    Messages:
    168
    It is just the way people are wired. Here comes the "security" bubble.
     
  13. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,328
    Location:
    San Diego, CA
    But when one compares how many $30 routers are sold vs. how many $1000 Cisco routers are sold, there's more money down there... and this makes having sane and reasonable security designed in - once it's done, then it carries over to future devices... and perhaps even an opportunity for the upstream to take it forward... whether it is OpenWRT/Tomato, or the SoC providers.

    I agree, some folks may have overreacted with recent revelations, but this is very basic stuff... and now that desktop OS vendors are taking security much more seriously, the "security" community is going after devices like Home Routers, as the surface is pretty huge...
     
    zerodegrekelvin likes this.
  14. David Arnstein

    David Arnstein Regular Contributor

    Joined:
    Mar 19, 2015
    Messages:
    55
    Anyone know if the RT-AC68x routers suffer from this defect? I configure WPS "off" on my router. Is it really "off?"
     
  15. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,391
    Location:
    Canada
    How much does Cisco typically charges for a support contract? :)

    Cisco make sure they make as much money as possible out of their customers to be able to provide the services they do...

    Personally, I suspect that there's almost no profit out of a 30$ router. One single support call requesting guidance on how to plug it will immediately make that router become a loss for the manufacturer.
     
  16. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,391
    Location:
    Canada
    The bug is specific to Quantenna, therefore only the RT-AC87U (and its 5 GHz band) are affected.
     
    David Arnstein likes this.
  17. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,328
    Location:
    San Diego, CA
    I can go to Cisco and get a patch, usually within hours of a vulnerability disclosure, might take a couple of days... but Cisco routers are designed with security in mind... and there is a different level of expectation when I invest K-Bucks in a gear/support deal...

    To Joe Six-Pack, buying a consumer grade router, he doesn't even know he's been haxxor'ed, and the support costs to the vendor - it's like you say, margin sunk... so is it better to spend a bit to design right, or wait for customers to call?

    As you mentioned, ASUS runs everything with one account on their routers - root - and that is the superuser... bad, bad, bad design...

    It's not just ASUS, but this is an ASUS thread, and whether it's a bad/weak WPS implementation or other services, running as root is a very bad idea from a security perspective - crack services, and boom, instant superuser access..

    Security - This is a fairly easy thing to design in as a developer and architect - it's hella bad to try and patch and dodge one's way around in a bad design..

    There are consumer grade AP/Routers that are more secure, but most of them are not ASUS, Netgear, Linksys, D-Link...

    just saying...
     
    zerodegrekelvin likes this.
  18. zerodegrekelvin

    zerodegrekelvin Regular Contributor

    Joined:
    Apr 29, 2015
    Messages:
    56
    Location:
    Montreal, Canada
    Agreed with sfx, the expectation is not the same in the enterprise or hospitality versus the "Joe Six-Pack" expectation. Different market, different pricing, different SLA.
    In 2013, I meet Robert Pera from Ubiquity, I asked him about the enterprise market and the 5 stars hotels, basically Robert told me "I am not in the 5 stars hotel, or 4 stars, but there are a plenty of 3 stars hotels that still need wifi". There is a niche for every body to make money in the wifi space, but not because your product is inexpensive that you can neglect security. Most of the security issues we talk here can be easily fix. Not because you drive a Yaris that you don't have the seat belt :cool: nor airbag.
     
  19. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,328
    Location:
    San Diego, CA
    Since rMerlin suggested it's kind of hard to implement a better security scheme, let me show you just how broken some ASUS devices are...

    Here's the setup - WL-330NUL - nice little travel router dongle - nice feature, it supports a guest network as a second SSID, and it offers either a Prompt Option (asking the router admin to approve/block), or a PIN code to enter - once that's done, everything is cool...

    So, we get the Guest Network running, and we attach to the AP - it's open, so no passphrase, etc..

    iwconfig.png

    We fire up a browser... Firefox in this case, and we get the portal than dsnmasq redirects to for prompt or pin

    browser_prompt.png
    So we wait a second - see the next post, as we can only attach two images...
     
  20. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,328
    Location:
    San Diego, CA
    So, still in the same browser window, we type in the following URL (again, this is on the Guest Network)

    http://router.asus.com/Main_AdmStatus_Content.asp - see below

    hidden_page.png
    I type in the window - telnetd, and press return...

    Go back to terminal - in this case, the client IP is 192.168.2.8, so I telnet to 192.168.2.1... and here, it's not the supervisor code normally needed to access config, it's admin/admin

    yes, think about that... and think about it again.

    pwned.png

    ------------

    That's right - I now have a command line shell on the router, running as a privleged user..

    This is how Asus treats your network, the data you attach on the USB drive, VPN tunnel coming in, etc.. etc.. etc.

    Really easy to break security.. and cheaper to implement right the first time

    sfx
     
    zerodegrekelvin likes this.