Asus Router Security Discussion

[NismoZ]

Folks, let me start out by saying that I do not own an Asus router, but have wanted one for my next upgrade. The purpose of this is not to flame anything about Asus products, it's just to serve as a discussion and info page for security issues, and maybe some people will benefit from reading it. I have read through several threads about the latest attack in October and trying to gain some more knowledge of how these happen and what Asus owners can do to minimize future attack surfaces.

People that have had Asus routers over the last several years, how many of these hacks have you seen?

• When these attacks happen, does it affect all models or only some of them on the currently support firmware versions?
• Do the attacks happen from infected Asus SaaS offerings that the routers use, or does code get installed onto the routers and launches from there?
• If one does these things, does that shut off access to the outside for attacks and can these attacks be prevented? Disable Asus AICloud, Use only local IPs for router mgmt and not the Asus web link, Do not use WEP/WPA1 and only use WPA2/3, Disable Remote Admin, Telnet, SSH, DMZ and others.

Any other info that can help prevent future attacks for anyone reading?

 

[bennor]

First, if you haven't done so already, use the forum search feature to find a number of past discussions covering malware on Asus routers. There have been a number of recent malware infections over the past few years.

See the Asus Product Security Advisory page if you haven't already, some updates there about some of the past intrusions/malware hacks:

ASUS Product Security Advisory | ASUS Global

www.asus.com

In particular see this entry from last September:

09/06/2024 Guidance on enhancing router security ∇
We recommend regularly checking your equipment and security measures for enhanced safety. If you use an ASUS router, follow these steps:
• Update your router with the newest firmware. We encourage you to do this when new firmware becomes available. You can find the newest firmware on the ASUS support page at
https://www.asus.com/support/ or the relevant product page at
https://www.asus.com/Networking/. ASUS has provided a link to new firmware for some routers at the end of this notice.
• Use different passwords for your wireless network and router-administration page. Use passwords that have at least 10 characters, with a mix of capital letters, numbers and symbols. Do not use the same password for more than one device or service.

Please ensure that your login and WiFi passwords are secure if you cannot upgrade the firmware promptly. "
For further help with router setup and an introduction to network security, please visit
https://www.asus.com/support/FAQ/1008000
https://www.asus.com/support/FAQ/1039292
Please update the firmware for the models listed to the version specified in the table.
If your router is listed below, follow these steps to secure it:

• Reset the router to default settings.
• Disable remote access services such as WAN access, AiDisk, AiCloud, FTP, Download Master, VPN, Port Forwarding.

Generally, this goes for most consumer grade routers, you can limit the intrusions by not opening up any ports or services to the internet on the router (or to clients behind the router via port forwarding). This includes disabling WAN admin access among other things.

Understand that no matter how much you harden the router, if your clients on the local network become infected the router itself can become compromised or infected. This is why good security is a layered approach. Not only do you harden the router, you also need to harden the computers and devices on the local network. More often then not it is the human inside the network that compromises their network or router either by clicking on malware, visiting malware sites, opening an infected email/file, or simply opening up the router to external access through router internet facing services/features.

 

[Tech Junky]

You have 2 options. Buy something that works out of the box or build our own and secure it.

The wifi settings only matter locally and within RF range for anything to be impacted.

The problem with most consumer routers is you don't know what's running in the background most of the time and sometimes can't even control it if the firmware is closed sourced. When you have things running in the background they will pinhole the security to get out to the internet.

I went DIY about 10 years ago now and my motivation was to get away from over priced cheap boxes with crappy updates. I've upgrade/rebuilt the setup a few time over the years for other tasks the box is performing but, the router function remains the same from one version to another and is quick to port from one system to the next. The only downside is WIFI not having as many options to internalize within the box as things progress. For AC I was able to use an internal card for the AP portion but, AX/E was dominated by Intel and that doesn't work well as an AP. BE has some promise though with a few Qualcomm options for about $35 M2. Right now it's just a matter of waiting on the devs to release the pieces of code to bring it up into operation.

Besides all of this running a DIY configuration allows you to manage things how you want. If you want more security monitoring you just install the SW. If you just want something simple to monitor things then just install it. If you start out with 1GE ports and decide you need to upgrade or add 2.5GE for an AP then you just get a NIC instead of a new router. When I was running spinner disks for the "NAS" portion I tested the speeds and found that 5GE would be sufficient to max them out over the network which prompted adding a 5GE NIC. I swapped out the disks though last year for a NVME U.3 drive that does 6.5GB/s which means the need for more speed. I pondered 10GE as one device is a laptop and that's the most you can get over the USB/TB port for a dongle. Instead for the rare need to connect for a large data copy I just use the TB cable between them and sync at 20gbps and saved some money on more HW.

For protecting the system you also have the ability to update the kernel weekly which applies the patches to the system for new CVE's as they come along instead of relying on a router OEM to release a patch based on a kernel that's over 5 years old. Besides this though if you setup the firewall rules to protect traffic it really shouldn't be an issue unless a client triggers opening a flood of ports or is infected and sends your data out without permission. Using something like pihole to block traffic based on the DNS also helps squash some of the threats or privacy issues.

Basically you have options by DIY that you don't with a prepackaged box. Put it to work for more than just internet as the router impact is very little.

 

[NismoZ]

On this latest round of Asus malware, how did the code get into the router? Was it through something launched in clients internally or did it come through for only people who had certain services open external?

Are there online security sites that can scan against your router from the outside to determine if there are any holes?

 

[Ripshod]

Are there online security sites that can scan against your router from the outside to determine if there are any holes?

GRC | ShieldsUP! — Internet Vulnerability Profiling

GRC Internet Security Detection System

www.grc.com

 

[bennor]

On this latest round of Asus malware, how did the code get into the router? Was it through something launched in clients internally or did it come through for only people who had certain services open external?

Not sure it's been determined definitvely yet exactly what the attack vector is. Speculation seems to center around AiCloud services (AiCloud and or AiDisk) being the target since disabling them seems to fix some people's issues. Not clear if the vector is coming through the external open AiCloud/AiDisk service or coming from internal vector (compromised machine or human clicking malware). Eventually people will figure out what the specific attack vector is/was.

 

[Tech Junky]

Are there online security sites that can scan against your router from the outside to determine if there are any holes?

Tons of them. Google is your friend.

 

[NismoZ]

When setting up Asus routers, if you use the app like they say to do, can you do that without creating any Asus online accounts? Or do you need to do it the old fashioned way of plugging in a wired NIC on the same subnet and logging into the router in order to forgo the online Asus account?

 

[Tech9]

Asus account is not required with both App or WebUI setup.
Data sharing to Asus is required for Firmware Updates, Asus App, Asus DDNS, Remote Connection, AiCloud, AiDisk.

Data sharing to Trend Micro is required for popular firmware features. Without it the following will not work:
AiProtection, Traffic Analyzer, Apps Analyzer, Web & Apps Filters (Parental Controls), Adaptive QoS, Game Boost, Web History.

 

[SolCutter]

Folks, let me start out by saying that I do not own an Asus router, but have wanted one for my next upgrade. The purpose of this is not to flame anything about Asus products, it's just to serve as a discussion and info page for security issues, and maybe some people will benefit from reading it. I have read through several threads about the latest attack in October and trying to gain some more knowledge of how these happen and what Asus owners can do to minimize future attack surfaces.

People that have had Asus routers over the last several years, how many of these hacks have you seen?

• When these attacks happen, does it affect all models or only some of them on the currently support firmware versions?
• Do the attacks happen from infected Asus SaaS offerings that the routers use, or does code get installed onto the routers and launches from there?
• If one does these things, does that shut off access to the outside for attacks and can these attacks be prevented? Disable Asus AICloud, Use only local IPs for router mgmt and not the Asus web link, Do not use WEP/WPA1 and only use WPA2/3, Disable Remote Admin, Telnet, SSH, DMZ and others.

Any other info that can help prevent future attacks for anyone reading?

Asus router security was a question I had around the time of the OP when the news came out about the TP-Link hacks with Asus possibly having an association. I found that the Asus routers affected were minimal, a small percentage and likely not updated. I'm revisiting this today as TP-Link has been called out by the US government & there's a ban being considered of TP-Link products. Asus however is not Chinese, like TP-Link--the parts may be manufactured in China (as is just about anything in technology), but the Taiwanese have the final say so. I suspect all this clamor to be part of the ensuing trade war currently ramping up, more than anything...

A plus about the Asus equipment is that it's required by the US FTC to undergo audits for 20 years starting in 2016. How many commercial firewall vendors have these audits or any requirements? As a result of this FTC requirement Asus seems to be diligent about addressing CVEs and providing a more secure product. Commercial vendors have frequent CVEs they must address as well, vendors including Fortinet, Palo Alto, Sonicwall & others have been in the news more than once this year, some of them surprisingly, and some are unresolved. You may not be able to download an update if you don't maintain service with these vendors.

As others have pointed out, you have to take the security consideration into your own hands, do updates, and make use of the security mechanisms provided by Asus as well as what's offered here on Merlin (if you choose to add Merlin to your router). In my opinion this is a better option than many commercial firewall vendors as you pay once for the product, that's somewhat community driven open source (many CVEs are addressed by Merlin before even Asus addresses them) and don't have to maintain a subscription, which oftentimes commercial options offer too much or not enough to the user. I also see that Asus addresses many of the concerns of users, although it may be slow at times--however I choose to use my router as a router, gateway & firewall, I don't use a lot of the third party non-security add-ons. Trend Micro is a security company, has had a decent reputation through the years, I feel the tradeoff is worth using their add-on--it's just another point of data they use to provide better security. You have Asus manufacturing/engineering, FTC required audits, Trend Micro security & open source community driven input all involved in the creation of this product, where else do you get that? So generally my opinion of Asus router security is as high as any other option, for the most part. In the end reducing your attack surface throughout your network is the best method to reduce risk....

Another option is to run Banyan Vines which didn't run well back in the day, was difficult to deploy for many, so how's anyone going to hack it now?