ASUS RT-AC87U WPA2 key cracked in 2 seconds

[skypx]

Exactly! I am doing the same. The old school (I am 54) is always paranoid. And this is a point of discussion between me and my daughter. Even she is going to graduate Computer Science it seems to be that she don't care about. May be this is normal for the "Facebook generation"

So true!

 

[sfx2000]

Whether it is WPS on your WLAN or SSH onto the internet, always consider your network under constant and persistent attack... watch out what one has open...

Whether it is a router/nas/desktop - there are those that are working hard to break the locks...

Case in point... this is on a full-blown linux box I use to jump in, and it's on a non-standard port, and we've got sshd pretty much locked down, but still, there's people wiggling the doorknob...

For an embedded linux distro like what most home/small business routers/NAS boxes use, they're toast if services are opened up...

In the words of Don Draper... "Limit your exposure" (SE301 fwiw)

sfx

2015-05-02 00:02:14,792 fail2ban.actions: WARNING [ssh] Ban 71.13.204.170
2015-05-02 00:16:50,473 fail2ban.actions: WARNING [ssh] Ban 43.255.190.134
2015-05-02 00:17:21,526 fail2ban.actions: WARNING [ssh] Ban 43.255.190.133

[trimmed this post - 050615 - sfx2000{

 

[zerodegrekelvin]

Whether it is WPS on your WLAN or SSH onto the internet, always consider your network under constant and persistent attack... watch out what one has open...

Whether it is a router/nas/desktop - there are those that are working hard to break the locks...

Case in point... this is on a full-blown linux box I use to jump in, and it's on a non-standard port, and we've got sshd pretty much locked down, but still, there's people wiggling the doorknob...

For an embedded linux distro like what most home/small business routers/NAS boxes use, they're toast if services are opened up...

In the words of Don Draper... "Limit your exposure" (SE301 fwiw)

sfx

2015-05-02 00:02:14,792 fail2ban.actions: WARNING [ssh] Ban 71.13.204.170
2015-05-02 00:16:50,473 fail2ban.actions: WARNING [ssh] Ban 43.255.190.134
2015-05-02 00:17:21,526 fail2ban.actions: WARNING [ssh] Ban 43.255.190.133
2015-05-02 00:19:02,633 fail2ban.actions: WARNING [ssh] Ban 222.186.134.85
2015-05-02 00:39:54,503 fail2ban.actions: WARNING [ssh] Ban 60.8.151.51
2015-05-02 00:44:17,668 fail2ban.actions: WARNING [ssh] Ban 43.255.190.131
2015-05-02 00:59:20,199 fail2ban.actions: WARNING [ssh] Ban 222.186.134.79
2015-05-02 01:01:24,366 fail2ban.actions: WARNING [ssh] Ban 222.186.160.48
2015-05-02 01:06:31,695 fail2ban.actions: WARNING [ssh] Ban 222.89.166.12
2015-05-02 01:06:49,732 fail2ban.actions: WARNING [ssh] Ban 221.229.166.4
2015-05-02 01:07:50,776 fail2ban.actions: WARNING [ssh] Ban 222.186.160.52
2015-05-02 01:10:09,867 fail2ban.actions: WARNING [ssh] Ban 43.255.190.117
2015-05-02 01:15:24,199 fail2ban.actions: WARNING [ssh] Ban 222.186.160.49
2015-05-02 01:20:02,523 fail2ban.actions: WARNING [ssh] Ban 58.218.204.52
2015-05-02 01:26:52,773 fail2ban.actions: WARNING [ssh] Ban 221.229.166.29
2015-05-02 01:34:22,201 fail2ban.actions: WARNING [ssh] Ban 222.48.110.117
2015-05-02 01:36:51,318 fail2ban.actions: WARNING [ssh] Ban 222.186.160.50
2015-05-02 01:36:52,334 fail2ban.actions: WARNING [ssh] Ban 43.255.190.172
2015-05-02 01:41:02,643 fail2ban.actions: WARNING [ssh] Ban 222.186.134.82
2015-05-02 01:45:38,888 fail2ban.actions: WARNING [ssh] Ban 222.161.4.147
2015-05-02 01:59:58,395 fail2ban.actions: WARNING [ssh] Ban 115.239.248.69
2015-05-02 02:01:25,533 fail2ban.actions: WARNING [ssh] Ban 58.218.204.36
2015-05-02 02:02:11,606 fail2ban.actions: WARNING [ssh] Ban 222.186.160.48
2015-05-02 02:03:23,692 fail2ban.actions: WARNING [ssh] Ban 43.255.190.119
2015-05-02 02:19:36,646 fail2ban.actions: WARNING [ssh] Ban 144.0.0.200
2015-05-02 02:21:19,789 fail2ban.actions: WARNING [ssh] Ban 222.186.134.98
2015-05-02 02:27:07,162 fail2ban.actions: WARNING [ssh] Ban 222.89.166.12
2015-05-02 02:29:21,327 fail2ban.actions: WARNING [ssh] Ban 43.255.190.167
2015-05-02 02:40:27,026 fail2ban.actions: WARNING [ssh] Ban 115.238.55.163
2015-05-02 02:41:36,142 fail2ban.actions: WARNING [ssh] Ban 58.218.201.19
2015-05-02 02:56:50,927 fail2ban.actions: WARNING [ssh] Ban 43.255.190.148
2015-05-02 03:00:59,254 fail2ban.actions: WARNING [ssh] Ban 222.186.134.96
2015-05-02 03:26:26,546 fail2ban.actions: WARNING [ssh] Ban 115.239.248.69
2015-05-02 03:40:26,258 fail2ban.actions: WARNING [ssh] Ban 60.8.151.51
2015-05-02 03:43:35,446 fail2ban.actions: WARNING [ssh] Ban 43.255.190.147
2015-05-02 03:59:09,355 fail2ban.actions: WARNING [ssh] Ban 221.229.166.4
2015-05-02 04:00:32,473 fail2ban.actions: WARNING [ssh] Ban 58.218.204.241
2015-05-02 04:10:35,923 fail2ban.actions: WARNING [ssh] Ban 43.255.190.132
2015-05-02 04:31:38,105 fail2ban.actions: WARNING [ssh] Ban 222.186.160.50
2015-05-02 04:35:23,309 fail2ban.actions: WARNING [ssh] Ban 43.255.190.187
2015-05-02 04:39:17,451 fail2ban.actions: WARNING [ssh] Ban 184.185.113.60
2015-05-02 04:40:38,581 fail2ban.actions: WARNING [ssh] Ban 58.218.204.248
2015-05-02 04:58:58,570 fail2ban.actions: WARNING [ssh] Ban 61.129.57.69
2015-05-02 04:59:54,671 fail2ban.actions: WARNING [ssh] Ban 222.186.134.90
2015-05-02 05:00:06,701 fail2ban.actions: WARNING [ssh] Ban 43.255.190.89
2015-05-02 05:04:55,883 fail2ban.actions: WARNING [ssh] Ban 115.239.248.69
2015-05-02 05:26:33,968 fail2ban.actions: WARNING [ssh] Ban 222.161.4.148
2015-05-02 05:27:06,023 fail2ban.actions: WARNING [ssh] Ban 43.255.190.152
2015-05-02 05:40:00,788 fail2ban.actions: WARNING [ssh] Ban 222.186.160.52
2015-05-02 05:40:09,814 fail2ban.actions: WARNING [ssh] Ban 58.218.204.213
2015-05-02 05:41:34,950 fail2ban.actions: WARNING [ssh] Ban 111.1.51.40
2015-05-02 05:59:23,916 fail2ban.actions: WARNING [ssh] Ban 43.255.190.160
2015-05-02 05:59:55,986 fail2ban.actions: WARNING [ssh] Ban 222.186.134.88
2015-05-02 06:11:36,612 fail2ban.actions: WARNING [ssh] Ban 125.65.245.146
2015-05-02 06:17:28,976 fail2ban.actions: WARNING [ssh] Ban 222.186.134.79
2015-05-02 06:21:31,291 fail2ban.actions: WARNING [ssh] Ban 43.255.190.126
2015-05-02 06:27:37,696 fail2ban.actions: WARNING [ssh] Ban 115.239.248.69
2015-05-02 06:37:23,095 fail2ban.actions: WARNING [ssh] Ban 222.186.134.90
2015-05-02 06:46:19,804 fail2ban.actions: WARNING [ssh] Ban 43.255.190.90
2015-05-02 06:53:21,139 fail2ban.actions: WARNING [ssh] Ban 222.186.160.48
2015-05-02 06:56:13,240 fail2ban.actions: WARNING [ssh] Ban 58.218.204.37
2015-05-02 07:13:08,361 fail2ban.actions: WARNING [ssh] Ban 119.147.137.94
2015-05-02 07:17:12,559 fail2ban.actions: WARNING [ssh] Ban 61.160.212.27
2015-05-02 07:23:37,900 fail2ban.actions: WARNING [ssh] Ban 222.89.166.12
2015-05-02 07:28:07,213 fail2ban.actions: WARNING [ssh] Ban 187.51.167.20
2015-05-02 07:34:10,487 fail2ban.actions: WARNING [ssh] Ban 218.65.30.92
2015-05-02 07:36:07,622 fail2ban.actions: WARNING [ssh] Ban 222.186.21.133
2015-05-02 07:39:32,888 fail2ban.actions: WARNING [ssh] Ban 43.255.190.176
2015-05-02 07:45:52,282 fail2ban.actions: WARNING [ssh] Ban 114.80.114.80
2015-05-02 07:53:58,897 fail2ban.actions: WARNING [ssh] Ban 222.186.134.90
2015-05-02 08:06:17,679 fail2ban.actions: WARNING [ssh] Ban 43.255.190.182
2015-05-02 08:14:37,235 fail2ban.actions: WARNING [ssh] Ban 222.186.134.88
2015-05-02 08:19:58,612 fail2ban.actions: WARNING [ssh] Ban 221.229.166.29
2015-05-02 08:32:27,431 fail2ban.actions: WARNING [ssh] Ban 43.255.190.126
2015-05-02 08:47:46,475 fail2ban.actions: WARNING [ssh] Ban 222.186.160.49
2015-05-02 08:55:56,010 fail2ban.actions: WARNING [ssh] Ban 58.218.204.225
2015-05-02 09:08:13,791 fail2ban.actions: WARNING [ssh] Ban 43.255.190.189
2015-05-02 09:22:33,737 fail2ban.actions: WARNING [ssh] Ban 66.55.38.164
2015-05-02 09:35:54,592 fail2ban.actions: WARNING [ssh] Ban 43.255.190.143
2015-05-02 09:42:02,925 fail2ban.actions: WARNING [ssh] Ban 222.89.166.12
2015-05-02 09:50:33,550 fail2ban.actions: WARNING [ssh] Ban 222.89.166.12
2015-05-02 09:55:52,904 fail2ban.actions: WARNING [ssh] Ban 58.218.204.52
2015-05-02 10:08:28,685 fail2ban.actions: WARNING [ssh] Ban 43.255.190.150
2015-05-02 10:11:25,885 fail2ban.actions: WARNING [ssh] Ban 221.229.166.29
2015-05-02 10:15:46,163 fail2ban.actions: WARNING [ssh] Ban 58.218.204.245
2015-05-02 10:17:31,285 fail2ban.actions: WARNING [ssh] Ban 210.6.89.236
2015-05-02 10:29:17,997 fail2ban.actions: WARNING [ssh] Ban 43.255.190.130
2015-05-02 10:35:59,418 fail2ban.actions: WARNING [ssh] Ban 222.186.134.81
2015-05-02 10:37:42,539 fail2ban.actions: WARNING [ssh] Ban 185.42.240.32
2015-05-02 10:43:26,895 fail2ban.actions: WARNING [ssh] Ban 222.161.4.147
2015-05-02 10:55:16,706 fail2ban.actions: WARNING [ssh] Ban 222.186.21.135
2015-05-02 11:08:34,721 fail2ban.actions: WARNING [ssh] Ban 115.239.248.49
2015-05-02 11:15:44,275 fail2ban.actions: WARNING [ssh] Ban 58.218.204.52
2015-05-02 11:22:58,848 fail2ban.actions: WARNING [ssh] Ban 43.255.190.164
2015-05-02 11:35:02,768 fail2ban.actions: WARNING [ssh] Ban 222.186.134.91
2015-05-02 11:54:46,270 fail2ban.actions: WARNING [ssh] Ban 222.186.134.92
2015-05-02 11:56:19,410 fail2ban.actions: WARNING [ssh] Ban 85.71.156.178
2015-05-02 12:02:08,854 fail2ban.actions: WARNING [ssh] Ban 119.147.136.125
2015-05-02 12:06:50,203 fail2ban.actions: WARNING [ssh] Ban 221.229.166.29
2015-05-02 12:15:32,870 fail2ban.actions: WARNING [ssh] Ban 43.255.190.161
2015-05-02 12:21:16,315 fail2ban.actions: WARNING [ssh] Ban 182.171.246.59
2015-05-02 12:33:58,281 fail2ban.actions: WARNING [ssh] Ban 58.218.204.226
2015-05-02 12:35:24,415 fail2ban.actions: WARNING [ssh] Ban 222.89.166.12
2015-05-02 12:42:25,946 fail2ban.actions: WARNING [ssh] Ban 43.255.190.133
2015-05-02 12:52:47,728 fail2ban.actions: WARNING [ssh] Ban 58.218.204.52
2015-05-02 13:05:50,725 fail2ban.actions: WARNING [ssh] Ban 221.229.166.98
2015-05-02 13:06:08,761 fail2ban.actions: WARNING [ssh] Ban 43.255.190.121
2015-05-02 13:11:40,197 fail2ban.actions: WARNING [ssh] Ban 222.186.134.85
2015-05-02 13:19:23,795 fail2ban.actions: WARNING [ssh] Ban 58.218.211.166
2015-05-02 13:30:56,678 fail2ban.actions: WARNING [ssh] Ban 222.186.134.87
2015-05-02 13:34:22,961 fail2ban.actions: WARNING [ssh] Ban 43.255.190.157
2015-05-02 13:36:50,167 fail2ban.actions: WARNING [ssh] Ban 222.186.160.52
2015-05-02 13:50:16,191 fail2ban.actions: WARNING [ssh] Ban 61.160.222.76
2015-05-02 14:00:03,939 fail2ban.actions: WARNING [ssh] Ban 43.255.190.164
2015-05-02 14:05:04,329 fail2ban.actions: WARNING [ssh] Ban 118.38.202.155
2015-05-02 14:09:19,674 fail2ban.actions: WARNING [ssh] Ban 222.186.134.91
2015-05-02 14:26:29,986 fail2ban.actions: WARNING [ssh] Ban 43.255.190.116
2015-05-02 14:38:36,935 fail2ban.actions: WARNING [ssh] Ban 222.186.160.52
2015-05-02 14:52:22,967 fail2ban.actions: WARNING [ssh] Ban 43.255.190.162
2015-05-02 15:07:12,095 fail2ban.actions: WARNING [ssh] Ban 222.186.134.81
2015-05-02 15:11:31,441 fail2ban.actions: WARNING [ssh] Ban 115.239.248.49
2015-05-02 15:19:23,037 fail2ban.actions: WARNING [ssh] Ban 43.255.190.157
2015-05-02 15:26:15,558 fail2ban.actions: WARNING [ssh] Ban 222.186.134.79

Did you try to geoip all the attacker it would be interesting stats.

 

[sfx2000]

Did you try to geoip all the attacker it would be interesting stats.

Most of it is from dedicated server farms in China... nothing new here. They're looking for loose edges to attack against...

Looking at the auth.logs, all the SSH attempts are pretty simple, although it's across all ports for that protocol - it's brute force at an interesting scale..

 

[sfx2000]

Most of it is from dedicated server farms in China... nothing new here. They're looking for loose edges to attack against...

Looking at the auth.logs, all the SSH attempts are pretty simple, although it's across all ports for that protocol - it's brute force at an interesting scale..

The takeaway is always have strong passwords (or better yet, use keys instead), and make damn sure that root login is disabled.

90 percent of the attempts are for root, the rest scatter about different default service logins...

 

[RMerlin]

The takeaway is always have strong passwords (or better yet, use keys instead), and make damn sure that root login is disabled.

90 percent of the attempts are for root, the rest scatter about different default service logins...

For one of my customers, this was a headache for a while because their servers would stop accepting any login attempt for a couple of minutes due to the high volume of attempts within a small period of time (I think it was PAM throttling things, I don't remember for sure). This was causing Nagios to trigger false alerts on SSH being down. In the end we simply moved SSH to a non-standard port, which resolved that particular issue.

On my work's server I use CSF. Far more flexible than fail2ban, and works more reliably too. Our Linode gets constantly hammered on various service ports, despite me flat out blacklisting a few networks from China. I also added a custom rule in CSF to block all those YLMF-PC based intruders hitting my SMTP server.

 

[sfx2000]

For one of my customers, this was a headache for a while because their servers would stop accepting any login attempt for a couple of minutes due to the high volume of attempts within a small period of time (I think it was PAM throttling things, I don't remember for sure). This was causing Nagios to trigger false alerts on SSH being down. In the end we simply moved SSH to a non-standard port, which resolved that particular issue.

On my work's server I use CSF. Far more flexible than fail2ban, and works more reliably too. Our Linode gets constantly hammered on various service ports, despite me flat out blacklisting a few networks from China. I also added a custom rule in CSF to block all those YLMF-PC based intruders hitting my SMTP server.

Yep - and for the info of spectators on the thread - CSF == http://configserver.com/cp/csf.html

Pretty slick tool for hosted enviroments..

The issues with your customers and ssh - basically the bots were sucking up all the ssh startups, so one has to wait - depends on how openSSH is configured and how one whitelists hosts with wrappers... kill the bots before they hit PAM..

Anyways... getting back to the embedded space, one really needs to review the default configs for Dropbear - OpenWRT is pretty permissive there, and a lot of router BSP's pull the same config...

config dropbear
option PasswordAuth 'on'
option RootPasswordAuth 'on'
option Port '22'​

Anybody see what's a bit of a concern?

 

[RMerlin]

Anyways... getting back to the embedded space, one really needs to review the default configs for Dropbear - OpenWRT is pretty permissive there, and a lot of router BSP's pull the same config...

config dropbear
option PasswordAuth 'on'
option RootPasswordAuth 'on'
option Port '22'​

Anybody see what's a bit of a concern?

Password auth and ports can be changed through the webui with my firmware. Allowing root logins does make sense, because those routers only have one single user - the root one. And as long by default they are still only exposed to the LAN (that's at least the default with my FW, no idea about OpenWRT), this isn't an issue. If you have someone on your LAN side trying to hack your router's SSH access, you have bigger issues to resolve.

 

[sfx2000]

Password auth and ports can be changed through the webui with my firmware. Allowing root logins does make sense, because those routers only have one single user - the root one. And as long by default they are still only exposed to the LAN (that's at least the default with my FW, no idea about OpenWRT), this isn't an issue. If you have someone on your LAN side trying to hack your router's SSH access, you have bigger issues to resolve.

Goes back to what I was saying about security being baked in, not added on - since root is the only login, and that user has access to everything, that is a clear design issue.

Looking forward, might be better to actually assign users to various services, for example, samba for smb servicces, webadmin for the web server, etc... and then disable root login, forcing users to have to su- over on the ash shell (ash is the shell for busybox). This was a key feature in my designs, where there are clear roles and activities, along with access separation.

Anyways, one of the cool things about Dropbear is that there can be mutltiple instances, bound to different interfaces, so one can bind the lan ports to one instance, and other to the WAN port, like below just as an example:

config dropbear

option PasswordAuth 'on'
option RootPasswordAuth 'on'
option Port '22'
option Interface 'lan'​

config dropbear

option PasswordAuth 'on'
option Interface 'wan'
option Port '2022'​

 

[RMerlin]

Goes back to what I was saying about security being baked in, not added on - since root is the only login, and that user has access to everything, that is a clear design issue.

Looking forward, might be better to actually assign users to various services, for example, samba for smb servicces, webadmin for the web server, etc... and then disable root login, forcing users to have to su- over on the ash shell (ash is the shell for busybox). This was a key feature in my designs, where there are clear roles and activities, along with access separation.

This implies rewriting the whole firmware from scratch. Not gonna happen. There are far more important issues that would warrant such a redesign from the ground up, and they aren't enough either to justify the high cost that would be associated with such a major undertaking. Unless you'd be willing to ask Cisco-pricing for an entry level home router. There's a reason why Cisco sells 1000$+ routers, but Asus/Netgear/DLink offers 30$ products. Software development + support does carry a fairly high cost. That's why most manufacturers go down the cheapest route, which is either doing minor changes to the SoC provider's SDK (like most Broadcom-based products), or reuse an existing solution (Asus went with Tomato, Securifi went with OpenWRT, etc...) and work on top of these.

My door lock isn't rated to protect my bank, but it's "good enough". The same applies to home routers here IMHO. Security is always about achieving a balance between cost and result, relative to the specific application where this would apply. I wouldn't secure a bank with a 20$ door lock any more than I would secure my home door with a 500$ lock.

Having SSH default to "disabled" is perfectly fine security-wise. If you enable it, then it's your job to configure it - the settings are right underneath the option you clicked on to enable it. So from a security stand point, this is sound security: disabled by default.

 

[RMerlin]

There's IMHO a mass hysteria building up these days regarding security. Mozilla recently announced that they intended to start disabling specific features if you visit a website that's not https, and that the whole planet should move to https. I'm sorry, but I ain't gonna pay 250$ a year for a SSL certificate for my personal website, nor will I start re-issuing a new certificate every 60 days because I opted to go with a free solution which limits validity to a few months.

Plus, SNI support is half broken with the hosting company that has my website. Search engines are reporting all sort of weird domain names returning with my website's content because of this. From a SEO's point of view, this is a nightmare.

And finally, SSL encryption does carry a performance penalty. If public websites were to all switch to SSL being enforced, some of these would need to upgrade their infrastructure, or we'd be facing a generalized slowdown of the web.

We're going from "not enough" to "too much" these days. Knee-jerk reaction IMHO. The correct response lies in the middle.

 

[W4RH34D]

It is just the way people are wired. Here comes the "security" bubble.

 

[sfx2000]

There's a reason why Cisco sells 1000$+ routers, but Asus/Netgear/DLink offers 30$ products. Software development + support does carry a fairly high cost. That's why most manufacturers go down the cheapest route, which is either doing minor changes to the SoC provider's SDK (like most Broadcom-based products), or reuse an existing solution (Asus went with Tomato, Securifi went with OpenWRT, etc...) and work on top of these.

But when one compares how many $30 routers are sold vs. how many $1000 Cisco routers are sold, there's more money down there... and this makes having sane and reasonable security designed in - once it's done, then it carries over to future devices... and perhaps even an opportunity for the upstream to take it forward... whether it is OpenWRT/Tomato, or the SoC providers.

I agree, some folks may have overreacted with recent revelations, but this is very basic stuff... and now that desktop OS vendors are taking security much more seriously, the "security" community is going after devices like Home Routers, as the surface is pretty huge...

 

[David Arnstein]

Anyone know if the RT-AC68x routers suffer from this defect? I configure WPS "off" on my router. Is it really "off?"

 

[RMerlin]

But when one compares how many $30 routers are sold vs. how many $1000 Cisco routers are sold, there's more money down there....

How much does Cisco typically charges for a support contract?

Cisco make sure they make as much money as possible out of their customers to be able to provide the services they do...

Personally, I suspect that there's almost no profit out of a 30$ router. One single support call requesting guidance on how to plug it will immediately make that router become a loss for the manufacturer.

 

[RMerlin]

Anyone know if the RT-AC68x routers suffer from this defect? I configure WPS "off" on my router. Is it really "off?"

The bug is specific to Quantenna, therefore only the RT-AC87U (and its 5 GHz band) are affected.

 

[sfx2000]

How much does Cisco typically charges for a support contract?

Cisco make sure they make as much money as possible out of their customers to be able to provide the services they do...

Personally, I suspect that there's almost no profit out of a 30$ router. One single support call requesting guidance on how to plug it will immediately make that router become a loss for the manufacturer.

I can go to Cisco and get a patch, usually within hours of a vulnerability disclosure, might take a couple of days... but Cisco routers are designed with security in mind... and there is a different level of expectation when I invest K-Bucks in a gear/support deal...

To Joe Six-Pack, buying a consumer grade router, he doesn't even know he's been haxxor'ed, and the support costs to the vendor - it's like you say, margin sunk... so is it better to spend a bit to design right, or wait for customers to call?

As you mentioned, ASUS runs everything with one account on their routers - root - and that is the superuser... bad, bad, bad design...

It's not just ASUS, but this is an ASUS thread, and whether it's a bad/weak WPS implementation or other services, running as root is a very bad idea from a security perspective - crack services, and boom, instant superuser access..

Security - This is a fairly easy thing to design in as a developer and architect - it's hella bad to try and patch and dodge one's way around in a bad design..

There are consumer grade AP/Routers that are more secure, but most of them are not ASUS, Netgear, Linksys, D-Link...

just saying...

 

[zerodegrekelvin]

I can go to Cisco and get a patch, usually within hours of a vulnerability disclosure, might take a couple of days... but Cisco routers are designed with security in mind... and there is a different level of expectation when I invest K-Bucks in a gear/support deal...

To Joe Six-Pack, buying a consumer grade router, he doesn't even know he's been haxxor'ed, and the support costs to the vendor - it's like you say, margin sunk... so is it better to spend a bit to design right, or wait for customers to call?

As you mentioned, ASUS runs everything with one account on their routers - root - and that is the superuser... bad, bad, bad design...

It's not just ASUS, but this is an ASUS thread, and whether it's a bad/weak WPS implementation or other services, running as root is a very bad idea from a security perspective - crack services, and boom, instant superuser access..

Security - This is a fairly easy thing to design in as a developer and architect - it's hella bad to try and patch and dodge one's way around in a bad design..

There are consumer grade AP/Routers that are more secure, but most of them are not ASUS, Netgear, Linksys, D-Link...

just saying...

Agreed with sfx, the expectation is not the same in the enterprise or hospitality versus the "Joe Six-Pack" expectation. Different market, different pricing, different SLA.
In 2013, I meet Robert Pera from Ubiquity, I asked him about the enterprise market and the 5 stars hotels, basically Robert told me "I am not in the 5 stars hotel, or 4 stars, but there are a plenty of 3 stars hotels that still need wifi". There is a niche for every body to make money in the wifi space, but not because your product is inexpensive that you can neglect security. Most of the security issues we talk here can be easily fix. Not because you drive a Yaris that you don't have the seat belt nor airbag.

 

[sfx2000]

Since rMerlin suggested it's kind of hard to implement a better security scheme, let me show you just how broken some ASUS devices are...

Here's the setup - WL-330NUL - nice little travel router dongle - nice feature, it supports a guest network as a second SSID, and it offers either a Prompt Option (asking the router admin to approve/block), or a PIN code to enter - once that's done, everything is cool...

So, we get the Guest Network running, and we attach to the AP - it's open, so no passphrase, etc..

We fire up a browser... Firefox in this case, and we get the portal than dsnmasq redirects to for prompt or pin

So we wait a second - see the next post, as we can only attach two images...

 

[sfx2000]

So, still in the same browser window, we type in the following URL (again, this is on the Guest Network)

http://router.asus.com/Main_AdmStatus_Content.asp - see below

I type in the window - telnetd, and press return...

Go back to terminal - in this case, the client IP is 192.168.2.8, so I telnet to 192.168.2.1... and here, it's not the supervisor code normally needed to access config, it's admin/admin

yes, think about that... and think about it again.

------------

That's right - I now have a command line shell on the router, running as a privleged user..

This is how Asus treats your network, the data you attach on the USB drive, VPN tunnel coming in, etc.. etc.. etc.

Really easy to break security.. and cheaper to implement right the first time

sfx