Suspicious Devices in new App Disconnected Device List

[Paliv]

Hey all,

I've been a lurker on these forums for a couple years now and learned a lot. I have a RT-AC68P which has been fantastic. However, when ASUS updated the app recently they added the ability to see not only connected devices, but also disconnected devices. In this list are 3 devices/mac addresses that I know I did not allow on my network. Does anybody know if this list shows devices that attempted to connect, or if it only shows devices which connected with an authenticated key? Trying to determine if my network has been compromised by a script kiddie or something. I have AiProtect on and all the general security stuff off (UPnP, WPS, and so on). I can't find much documentation from ASUS. As a caution I am going to do a factory reset, update and change password, key, and all internet passwords. We recently had our Credit Card used for a huge online purchase which our bank immediately labeled as fraud and stopped, but I am wondering if this was the root. I'm also already scanning devices for malicious software, key loggers, and the like. Thanks for any help.

 

[st1ngy]

I have a RT-AC68P which has been fantastic. However, when ASUS updated the app recently they added the ability to see not only connected devices, but also disconnected devices.

I was trying to figure out what this new feature was, but the only thing I can find that showed disconnected devices was in the system logs. I just looked in my DHCP leases log and I did find a few that I didn't recognize so I'll need to dig more. Probably some IoT stuff I forgot about. The log only had an asterisk in the hostname column.

 

[Paliv]

I was trying to figure out what this new feature was, but the only thing I can find that showed disconnected devices was in the system logs. I just looked in my DHCP leases log and I did find a few that I didn't recognize so I'll need to dig more. Probably some IoT stuff I forgot about. The log only had an asterisk in the hostname column.

What is really suspicious to me is the devices had very specific names, one vulgar that I won’t write here and a video game reference to Borderlands. They didn’t have current DHCP leases, and none of the leases were unfamiliar. I asked anyone who ever had access to my network if those names were familiar and they said no.

ASUS responded to my e-mail and said only devices that had connected should show up on that list. So as far as I can tell someone got their MacBook on my network somehow. I did forget to look into my printer after the Krack disaster, though everything else was updated, and now I have the dumb thing hard wired instead since I could find no info on whether it was vulnerable or could be updated.

 

[bbunge]

Just checked my Android app and it showed no unknown devices. But, all the devices that connect to my LAN through a 5 port Linksys switch showed as active even though all the devices were powered off. Power cycled the switch and the AC66U B1 in the app showed the devices as off.

Sent from my P01M using Tapatalk

 

[Ronald Schwerer]

It just dawned on me that you both are talking about the smartphone app, not the webui. Since it was revealed that the app quietly exposed the router to WAN access, I quit using it and checked my router settings to minimize my exposure. @Paliv, since you you have obviously been hacked by someone who blatantly wanted to make it obvious, you are now highly motivated to tighten your LAN's security. I'd recommend removing the app and going over the router access settings (LAN only). There's nothing so critical that I need to be able to access my router from outside my LAN.

 

[Paliv]

It just dawned on me that you both are talking about the smartphone app, not the webui. Since it was revealed that the app quietly exposed the router to WAN access, I quit using it and checked my router settings to minimize my exposure. @Paliv, since you you have obviously been hacked by someone who blatantly wanted to make it obvious, you are now highly motivated to tighten your LAN's security. I'd recommend removing the app and going over the router access settings (LAN only). There's nothing so critical that I need to be able to access my router from outside my LAN.

I totally missed that this had come out. Does unlinking the app and deleting it off of the mobile device fix the security hole, or is there something I need to change? I thought as long as I had not turned on the WAN access that it wasn’t an issue. Thanks for the heads up!

So after looking through the thread about the app I am wondering if this wasn’t the cause. I had checked if external WAN access was on before I did the hard reset and it wasn’t. Anytime I accidentally open the app outside the LAN it says connection failed in iOS. But, I am unclear whether it doesn’t show these setting as changed in the GUI?

 

[Ronald Schwerer]

All I did was uninstall it (to be sure I didn't accidentally run it) and then made sure "Enable SSH" was set to "LAN Only" and "Enable Web access from WAN" was "No".
I'll let others go into the details of how vulnerable this makes you. Whether or not it enabled a hacker onto your LAN, it is best to close up all the known loopholes.

 

[Paliv]

All I did was uninstall it (to be sure I didn't accidentally run it) and then made sure "Enable SSH" was set to "LAN Only" and "Enable Web access from WAN" was "No".
I'll let others go into the details of how vulnerable this makes you. Whether or not it enabled a hacker onto your LAN, it is best to close up all the known loopholes.

Thanks again for the info. It’s always a pain when companies implement “features” that aren’t transparent about their function. And the ASUS support, while polite, was lacking in detail in their response.

 

[Paliv]

The one note I would make is I would have never noticed this activity on the router had I not been using the iOS app, which just updated to show disconnected devices. I don’t normally pour over the logs and these connections seemed to not have been recently active. Maybe a useful tool if they clean the app behavior up.