Be aware of open Asus-routers

[Falk80211]

Seems like there is quite many of those who have FTP activated on the Asus-routers, that have it open for the world to see... quite scary what users are sharing of personal data without their knowledge and it's easy to find the routers that are open.

Asus will fix it in upcoming firmware.

Story: http://www.pcworld.com/article/2086...ives-connected-to-asus-routers-wide-open.html

 

[jim769]

Is this only a issue if you use the routers USB ports for external drives ?

 

[RMerlin]

Is this only a issue if you use the routers USB ports for external drives ?

Yes, and only if you didn't configure the FTP server correctly, and left it wide open to its default value.

To be clear, this is more about a bad default value from Asus than an actual security hole. Anyone correctly configuring the FTP access will be fine.

 

[Falk80211]

Yeah. User error. But the number of units which allows anon FTP access seems to be surprisingly high.

E.g. Germany - 3000 units with ftp running. 1200 with open access.

 

[sinshiva]

as bad as this is, i bet it doesn't compare to how many homes and businesses are running access points with WPS on 24/7, still. (this is what lead to my complete lack of faith in linksys) i'd think manufacturers would pay more attention to local weaknesses than this, and considering the PoS machines at target appear to have been the attack vector that lead to the theft of 110 million credit/debit cards, which absolutely is the fault of the business rather than the users, this is pretty easy to forgive. at least this ftp issue only applies to a.) usb disks attached to the router and b.) has to at the very least, be inadvertently enabled. 99% of the data on these disks is probably what, downloaded movies and music?

my card was of the ones stolen. thankfully, my card was cancelled before any malicious activities might have occurred.

 

[Falk80211]

Is anything done with the WPS-implementation on newer routers, expect adding a limit on how often you can try to connect? There was some talks earlier in regards on WPS 2.0, but there is no such thing so far?

 

[sinshiva]

pretty much the most useful news i could find regarding WPS came from Mr. Tim Higgins himself; http://www.smallnetbuilder.com/wireless/wireless-features/31664-waiting-for-the-wps-fix

don't mean to toot my own horn, but i hated WPS from day 1. If I were these router manufacturers, i'd drop WPS for good and never look back. worst goddamned idea ever to grace network technologies. makes me want to break whatever i'm holding and slap some mofos. just... WHY? WHY? WHY? WPS is the most butt-backwards technology to come out in recent history. Please, somebody come out and say the NSA paid them 100 milion USD, that i could forgive. GOD, WPS is so STUPID.

 

[RMerlin]

WPS as a concept makes sense (who doesn't despise entering their complex, 20+ chars WPA key onto a printer's dialpad-like keys?). I'm not sure how it could be so messed up however.

WPS should be getting enabled whenever an actual action is done on the router (such as pressing a WPS button), at which point you'd have a set amount of time to do the same thing with a client device, entering a short numeric key, and having the router come out of WPS mode after either a timeout value, or too many incorrect key attempts (say, three attempts).

That should make it quite safe for an home environment. That something as simple doesn't work reliably is beyond me - or I must be missing something.

 

[sinshiva]

yea, that's true, but you only have to do it once. i think it could have been better implemented so that you just press the WPS button on the router and again on the printer and they pair up, end of story. it's already designed to cripple security, but it should have been a completely temporary measure from the beginning.

i have to walk away from this now lol

 

[L&LD]

I enjoyed this thread a lot; the WPS part.

It reminded me of what I do for every customer (that 'knows' about WPS): I tell them the WPS button will be enabled in a future firmware (and I promptly disable it and never mention it again).

One such customer hired a new 'know all' employee - he knew that WPS worked (he could see the button!!!) so he set out to prove it. A couple of days later, I got a call to come and see why the network wasn't working anymore.

He had pushed the button right through the router. Lol...


sinshiva, I too hated WPS from day 1. The shock from that particular stupidity still hits me with every new router I setup for customers.

 

[Wisiwyg]

having the router come out of WPS mode after either a timeout value, or too many incorrect key attempts (say, three attempts).

This...

Implement Both - WPS active for up to 3 (or 5) minutes or until 3 incorrect attempts, whichever comes first. After which, the WPS key must be pressed again. Maybe give an option setting to adjust the time variable, but don't have a setting for timeout off (0 to turn time off).

I've wondered after seeing the first implementation of WPS why this wasn't the default.

Merlin, maybe you could be the trendsetter for the industry... If you could implement this in your code, Asus would see the 'logic' of it and adopt, which would force the rest of the industry to duplicate to keep up. Prow of the ship....

 

[RMerlin]

This...

Implement Both - WPS active for up to 3 (or 5) minutes or until 3 incorrect attempts, whichever comes first. After which, the WPS key must be pressed again. Maybe give an option setting to adjust the time variable, but don't have a setting for timeout off (0 to turn time off).

I've wondered after seeing the first implementation of WPS why this wasn't the default.

Merlin, maybe you could be the trendsetter for the industry... If you could implement this in your code, Asus would see the 'logic' of it and adopt, which would force the rest of the industry to duplicate to keep up. Prow of the ship....

AFAIK, all modern WPS implementation do carry a timeout. And I think some manufacturers do drop WPS after a few incorrect attempts.

In any case, the WPS code is closed source...

 

[L&LD]

RMerlin, I would be asking for the opposite with regards to WPS - remove it altogether. This is like the bloat ware on all the new computers, imo.

 

[sinshiva]

i definitely don't disagree with you L&LD, but i imagine people would raise in hell in swarms unless all the manufacturers agreed to get rid of it simultaneously

 

[L&LD]

sinshiva, still chuckling after reading your post.


Never thought of that side of the coin.

 

[sinshiva]

I enjoyed this thread a lot; the WPS part.

It reminded me of what I do for every customer (that 'knows' about WPS): I tell them the WPS button will be enabled in a future firmware (and I promptly disable it and never mention it again).

One such customer hired a new 'know all' employee - he knew that WPS worked (he could see the button!!!) so he set out to prove it. A couple of days later, I got a call to come and see why the network wasn't working anymore.

He had pushed the button right through the router. Lol...


sinshiva, I too hated WPS from day 1. The shock from that particular stupidity still hits me with every new router I setup for customers.

haha, i missed this post initially; very amusing.

 

[jlake]

Seems like there is quite many of those who have FTP activated on the Asus-routers, that have it open for the world to see... quite scary what users are sharing of personal data without their knowledge and it's easy to find the routers that are open.

Asus will fix it in upcoming firmware.

Story: http://www.pcworld.com/article/2086...ives-connected-to-asus-routers-wide-open.html

Also, most people don't realize that when they access the router remotely via FTP, they are sending their user name and password unencrypted over the internet. FTP snooping is not all that uncommon.