Asus Router app and "unintentional" activation of remote access to router

[nmt1900]

It was discovered "by mistake", but it cannot be described any other way but serious:

Asus has introduced DDNS and remote management support into Asus Router mobile app for Android.

It might be nice feature to have, but there is one big BUT in this implementation - if router is added/linked to mobile app, then AiCloud, DDNS and remote access to web interface will be enabled.

This is done by default without any notification whatsoever!

It is possible to turn "Remote connection" option off in the app after linking is done, but this does not turn these options off on the router side. This only turns it off in the app for this linked router only (setting is specific for every linked router). Only way to turn off public access to web interface is on the router side - either from web interface or command line. This then lasts until user flips "Remote connection" option back on in the app.

If user tries to turn "Remote connection" option back on in the app, only THEN he will get the notification about AiCloud, DDNS and remote web access being enabled - and then again it can be turned completely off only from the router itself.

As we know about httpd in asuswrt not being "very robust" and enabling public access to it not being very good idea, then only one question remains: what were Asus developers thinking about?

Every user who links Asus router to mobile app, is inadvertently opening it up to whole wide world!

Now it is up for anyone to decide whether to scrap the app or not, but public access has to be disabled from the router. Unlinking the router from the app or unticking the "Remote connection" option in the app does not help to secure the router.

There was less things to worry before this features were added to app - general security issues of underlying platform (possibility of leaking the passwords from the app etc) or the vulnerabilities in the app itself, but now this adds new big hole on the other side and there is no easy and reliable way to close it - other than unlinking router from the app AND disabling remote access on the router itself.

One thing I know from now is there is no easy way to trust mobile apps from Asus again...

 

[bilboSNB]

I have had to disable wan access twice now, I was wondering what the hell had turned it on. Outrageous.

 

[nmt1900]

For now there is only one way to avoid this - keep router admin credentials to yourself and get rid of the app.

Anybody who

- has access to your wireless network
- knows router administration credentials
- has this neat app on the phone

can access the router even after he is left your wireless network - even without knowing it.

This is the way I discovered it. I was at friend's house once and helped him to set up the router. While doing it I added his router to app on my phone just for demonstration. Today I just opened the app it and boy was I surprised to see, that app started to sync the state of his router although I was nowhere near his home and had never intended to enable remote access via app or any other way...

 

[ScottW]

Not really understanding this. I have/use the iOS app; it is connected and working for my 88U. Access from WAN and AICloud are still OFF. I can connect only when at home, or using VPN.

I setup the app along time ago, so it's possible they got enabled at that time and then I disabled them again (don't recall). But the app CAN be used with these disabled, and it doesn't automatically re-enable them.

I'm running Merlin 380.69 on the 88U, in case that makes a difference.

 

[nmt1900]

I do not know about iOS version - I do not have any iOS devices.

I bought my current phone in december and Android version of the app has been updated in december 14th. It can be, that any devices linked before that would not get this treatment, if you do not flip "Remote connection" option ON when connected to device in local network - but then you will be notified about that in appropriate way.

The problem is not about having this feature, but about it being turned on without notice and opt-out on first connection.

P.S. It looks like iOS version was also updated in december, but there's no statement about remote access in iOS App Store.

 

[cmillar6]

Remote access is also enabled by default with the iOS version of the app as well. I noticed this awhile ago.

 

[MustacheSwe]

Remote access is also enabled by default with the iOS version of the app as well. I noticed this awhile ago.

Yes. An absolute and utter disaster. I noticed this today, by coincidence. Been exposed for weeks now. So, so, bad... Am in contact with ASUS support, to ensure they fix this.

 

[Latzz]

It also appears that specific models have automatic firmware updates enabled. Silent (no notifications or permissions) type of activities need to be clearly documented. There is a lot of confidence and trust with the ASUS brand and technologies, and transparency on these type of stuff is always helpful.

 

[hfm]

Yes. An absolute and utter disaster. I noticed this today, by coincidence. Been exposed for weeks now. So, so, bad... Am in contact with ASUS support, to ensure they fix this.

I got hit by this on my RT-N66U. Didn't realize the app did that. It seems the recent CVE that allowed unauthenticated commands to be sent to an exposed web interface was also taken advantage of. Looked like a PPTP VPN account was set up, but thankfully never used. I trawled through all my logs for devices and found no evidence of suspicious activity anywhere.

Horrible...

 

[MustacheSwe]

I took the time an wrote to Asus to request them to change this.

Answer: "This is how the application is suppose to work, all is working as intended.".

Sigh...


From: xxx
Sent:2018-04-06 16:05:21
Subject:Satisfaction - Produktkvalitet
Apply Date : 2018/04/06 14:05:21.535 (UTC Time)

[Produktinformation]
Produkttyp : Wireless
Produktmodell : RT-AC68U
Produktens serienummer : xxx

[Problembeskrivning]
I have an RT-AC68U router which for security reasons is only accessed in my own LAN (never ever from the open internet/WAN). I have made absolutely certain that the Remote Access functionality is Disabled.

However, I recently noticed that Remote Access had been changed to Enabled. This shocked me, and I first assumed I had been hacked somehow. However, after some research, it turns out that your iPhone "Asus Router" app must have Enabled Remote Access, without notifying me.

I hereby request that you change this in the Asus Router iPhone app (not just for me, but in general) -- it is very dangerous if Remote Access is Enabled, and the user is not even informed about it.
-------------
Hello xxx .

Thank you for your e-mail.


This is how the application is suppose to work, all is working as intended.
Kind regards,
Andreas D
Asus Customer Service
Asus Technical Support Site: http://support.asus.com

 

[hfm]

Horrible answer. I got hit by this plus the unauthenticated remote config exploit when the Android app did this without me realizing it. Thankfully I could find no trace of anything bad happening besides a PPTP VPN tunnel configured. None of my other devices audited/logged any intrusions or abnormal traffic/access so I think I got lucky that it wasn't used yet. Probably hoping to make it part of a bot network at some point and just added to a DB of their compromised devices.

 

[umarmung]

"Asus Router" app
- Google Play Store version: 1.0.0.3.32 dated "May 27, 2018"
- Apple Store version: 1.0.0.0.95 dated "Apr 25, 2018"

The Apple Store shows a bug fix since April 23 2018 stating "1. Bug fix of Remote Connection feature" with version 1.0.0.0.91.

Has this happened to anyone with an up to date version of this app since then and if so which store and version of the app do you have?

 

[InfiniteLoop]

"Asus Router" app
- Google Play Store version: 1.0.0.3.32 dated "May 27, 2018"
- Apple Store version: 1.0.0.0.95 dated "Apr 25, 2018"

The Apple Store shows a bug fix since April 23 2018 stating "1. Bug fix of Remote Connection feature" with version 1.0.0.0.91.

Has this happened to anyone with an up to date version of this app since then and if so which store and version of the app do you have?

Last week it was still an issue.

and turning off remote connections disabled the app... it's listed as a requirement now.

 

[LimJK]

Last week it was still an issue.

and turning off remote connections disabled the app... it's listed as a requirement now.

Hi,
The new version (1.0.0.0.95) provides an option to decline setting up Remote connection. I am currently using iOS ASUS Router App without Remote Connection.

 

[Grisu]

Hi,
The new version (1.0.0.0.95) provides an option to decline setting up Remote connection. I am currently using iOS ASUS Router App without Remote Connection.
View attachment 13278

And if you disable it in the app your router will still stay opened like a ...
Reactivate it in the app must not work because router should close WAN access, but wont do so.
Thats about what I read in another thread.

Please correct me if things really have changed to get safer.

 

[Insight]

I took the time an wrote to Asus to request them to change this.

Answer: "This is how the application is suppose to work, all is working as intended.".

Sigh...


From: xxx
Sent:2018-04-06 16:05:21
Subject:Satisfaction - Produktkvalitet
Apply Date : 2018/04/06 14:05:21.535 (UTC Time)

[Produktinformation]
Produkttyp : Wireless
Produktmodell : RT-AC68U
Produktens serienummer : xxx

[Problembeskrivning]
I have an RT-AC68U router which for security reasons is only accessed in my own LAN (never ever from the open internet/WAN). I have made absolutely certain that the Remote Access functionality is Disabled.

However, I recently noticed that Remote Access had been changed to Enabled. This shocked me, and I first assumed I had been hacked somehow. However, after some research, it turns out that your iPhone "Asus Router" app must have Enabled Remote Access, without notifying me.

I hereby request that you change this in the Asus Router iPhone app (not just for me, but in general) -- it is very dangerous if Remote Access is Enabled, and the user is not even informed about it.
-------------
Hello xxx .

Thank you for your e-mail.


This is how the application is suppose to work, all is working as intended.
Kind regards,
Andreas D
Asus Customer Service
Asus Technical Support Site: http://support.asus.com

Yikes. That's likely coming from someone who doesn't understand the risk. Glad you sent them notice on it though....

Last week it was still an issue.

and turning off remote connections disabled the app... it's listed as a requirement now.

Wait what, is doesn't work from LAN? Mine works fine on LAN and I did get a prompt to enable remote access....

Android ver 1.0.0.3.32

And if you disable it in the app your router will still stay opened like a ...
Reactivate it in the app must not work because router should close WAN access, but wont do so.
Thats about what I read in another thread.

Please correct me if things really have changed to get safer.

Turn off the DDNS and WAN access and there's no worries. Decline the feature from the app...

 

[JOE.G]

Hi Guy's, I installed the app and I hit accept when I saw the message about the DDNS and the other things. I then thought it maybe a bad idea so i deleted the app off iPhone and I did a reset of the router RT 5300 and AC3100 Node though the 5300 interface and the node though the reset button. I did this because I could not find all of the settings that may have been changed.
Am I able to install this app again but not hit accept but hit decline and still use the app?

Thank you.

 

[ColinTaylor]

Am I able to install this app again but not hit accept but hit decline and still use the app?

Try it and find out.

 

[JOE.G]

But if I try it I am not sure how to change back what it changed. I found the DDNS but that is it.

 

[ColinTaylor]

But if I try it I am not sure how to change back what it changed. I found the DDNS but that is it.

But you said you were going to decline the changes proposed by the app so it shouldn't be an issue.