Can't trust Asus or RMerlin firmware anymore!

[Mordred]

Since when does a firmware need closed source password encryption and decryption blobs?

https://github.com/RMerl/asuswrt-merlin/commit/c021fffd405e747e507470ea60b9823820a38760

This really stinks. Who knows, if the decryption does not accept a few special passwords and thus "trusted" asus employees or chinese gov can access the webif whenever they want.

Since when do you need a closed source crypto function for en/decrypting passwords. Very alarming.

 

[RMerlin]

Since when does a firmware need closed source password encryption and decryption blobs?

https://github.com/RMerl/asuswrt-merlin/commit/c021fffd405e747e507470ea60b9823820a38760

This really stinks. Who knows, if the decryption does not accept a few special passwords and thus "trusted" asus employees or chinese gov can access the webif whenever they want.

Since when do you need a closed source crypto function for en/decrypting passwords. Very alarming.

I have (for now) the source code of these two blobs, and I can tell you they are perfectly safe. They are currently only used to encrypt/decrypt the password used for SMTP authentication for email-based notification. The versions on my repo were all compiled by myself.

Why Asus chose to close source them however, I have no idea - I can't see anything in these two files to justify it considering how simple/straightforward the code in these two modules are.

You can take off your tin foil hat. If you don't trust anything pre-compiled, this would mean you were already compiling your own firmware for all of your devices. Were you?

 

[ryzhov_al]

Since when do you need a closed source crypto function for en/decrypting passwords. Very alarming.

Well, AiCloud lighttpd modules was always being as a blobs with no sources.

Why Asus chose to close source them however, I have no idea - I can't see anything in these two files to justify it considering how simple/straightforward the code in these two modules are.

IMHO, security through obscurity, as usual.

 

[mromero]

Since when does a firmware need closed source password encryption and decryption blobs?

https://github.com/RMerl/asuswrt-merlin/commit/c021fffd405e747e507470ea60b9823820a38760

This really stinks. Who knows, if the decryption does not accept a few special passwords and thus "trusted" asus employees or chinese gov can access the webif whenever they want.

Since when do you need a closed source crypto function for en/decrypting passwords. Very alarming.

Asus is a Taiwanese company. While the router is manufactured in the Peoples Republic of China, the firmware was copied and adapted from Tomato. I am confident that backdoors are built in to spy on users, but these backdoors would be for the U.S. NSA to spy on its citizens and other nations. Taiwan is a U.S. proxy. An independent lab such as Kaspersky or perhaps one of those hackers who uncover exploits should tear down this puppy and test it thoroughly and publish their findings.

In the meantime, having an additional and trusted router and firewall in front of any device produced by a country controlled by the West, may be recommended.

 

[4Leaf]

Asus is a Taiwanese company. While the router is manufactured in the Peoples Republic of China, the firmware was copied and adapted from Tomato. I am confident that backdoors are built in to spy on users, but these backdoors would be for the U.S. NSA to spy on its citizens and other nations. Taiwan is a U.S. proxy. An independent lab such as Kaspersky or perhaps one of those hackers who uncover exploits should tear down this puppy and test it thoroughly and publish their findings.

In the meantime, having an additional and trusted router and firewall in front of any device produced by a country controlled by the West, may be recommended.

You need to calm down. No matter what you say it is only gonna be speculation until proven. So chill out. Unless you can prove all of these theories you keep spitting out with more than just say so and hear say, then it's all worthless. Honestly, we don't care and don't want to read about it. Especially on this website!

 

[cc666]

You need to calm down. No matter what you say it is only gonna be speculation until proven. So chill out. Unless you can prove all of these theories you keep spitting out with more than just say so and hear say, then it's all worthless. Honestly, we don't care and don't want to read about it. Especially on this website!

Thats exactly how they want you to react! Congratulations.

CC

 

[Pierino]

Asus is a Taiwanese company. While the router is manufactured in the Peoples Republic of China, the firmware was copied and adapted from Tomato. I am confident that backdoors are built in to spy on users, but these backdoors would be for the U.S. NSA to spy on its citizens and other nations. Taiwan is a U.S. proxy. An independent lab such as Kaspersky or perhaps one of those hackers who uncover exploits should tear down this puppy and test it thoroughly and publish their findings.

In the meantime, having an additional and trusted router and firewall in front of any device produced by a country controlled by the West, may be recommended.

Just in case, let's all put on our tinfoil hats.

 

[4Leaf]

Thats exactly how they want you to react! Congratulations.

CC

Do you mean that is exactly how mromero wants me to respond or do you mean that is exactly how the so called spy's want me to act and not believe it?

 

[4Leaf]

If the U.S. or the NSA wanted to spy on the citizens of the U.S. They wouldn't be using routers to do it. Drones? Drones have the technology to see through walls with infrared and see exactly what you are doing. They certainly wouldn't need to hack into your personal router to watch you in case you are a possible terrorist. They could do that by other means using the internet. I'm sure that the entire internet is open for the cia/nsa to monitor any one they want at any time. Nothing is illegal when it comes to national security. Don't forget that.

The U.S. is currently spending 52.6 Billion dollars on the black budget and no one even knows what that money is really being funded towards. Why? It is in the best interest of the U.S.A's national security.

http://www.washingtonpost.com/wp-srv/special/national/black-budget/

If you don't believe me. See for yourself.

 

[Guz]

If the U.S. or the NSA wanted to spy on the citizens of the U.S. They wouldn't be using routers to do it.

You are correct. The NSA couldn't care less about our individual personal routers. They have equipment that sits on all the backbone routes around the world. Think "man in the middle" that watches all the traffic no matter what. It used be called "Prism", but I believe they have moved on to another code name after everyone found about it.

The same goes for other countries, but not quite extensive as the United States.

 

[RMerlin]

Asus is a Taiwanese company. While the router is manufactured in the Peoples Republic of China, the firmware was copied and adapted from Tomato. I am confident that backdoors are built in to spy on users, but these backdoors would be for the U.S. NSA to spy on its citizens and other nations. Taiwan is a U.S. proxy. An independent lab such as Kaspersky or perhaps one of those hackers who uncover exploits should tear down this puppy and test it thoroughly and publish their findings.

Tomato was originally developed by a Japanese fellow, and has always been open sourced. If you believe there's a backdoor in Tomato that was put there at the NSA's request, you will have to look at the source code and point us where, because the Tomato (and Asuswrt) code has been looked at by thousands of individuals, and nobody ever saw a single backdoor.

This is all baseless speculations without one single element of proof to back up those claims.

In the meantime, having an additional and trusted router and firewall in front of any device produced by a country controlled by the West, may be recommended.

Like the USA, the country where the NSA actually has legal powers? You are contradicting your own arguments there.

 

[mromero]

You are correct. The NSA couldn't care less about our individual personal routers.

From a Western controlled and well respected publication, this article contradicts your thesis. And note that thousands of SOHO wireless routers are used in offices, cybercafes, hotels etc.

NSA Laughs at PCs, Prefers Hacking Routers and Switches

"This included not only installing covert “implants” in foreign desktop computers but also on routers and firewalls — tens of thousands of machines every year in all. According to the Post, the government planned to expand the program to cover millions of additional foreign machines in the future and preferred hacking routers to individual PCs because it gave agencies access to data from entire networks of computers instead of just individual machines."

http://www.wired.com/2013/09/nsa-router-hacking/

 

[TonyH]

Hi,
I don't have any thing to hide as a secret. Looks like some folks have puch top secrets
to protect and hide?, LOL! As is, it is hard enough to keep my sanity in every day life
I don't wear tin foil hat but I wrapped all the CA5/6 cables with double layer tin foil....

 

[mromero]

Like the USA, the country where the NSA actually has legal powers? You are contradicting your own arguments there.

No, actually what I mean is to have layers of routers with firmware NOT controlled by any Western government or proxy, in front of any equipment that could be compromised by collaboration either willing or coerced, by a Western government or proxy.

I would much prefer to be spied on by the Chinese than our government.

This a relevant comment by VC legend Peter Thiel on how the NSA collects data:

"On Edward Snowden and his revelations about the NSA: “I think Snowden revealed something that looks more like the Keystone Kops and very little like James Bond… more generally: the NSA has been hoovering up all the data in the world, because it has no clue what it is doing. ‘Big data’ really means ‘dumb data.'”"

https://gigaom.com/2014/09/11/what-vc-legend-peter-thiel-thinks-of-edward-snowden-net-neutrality-and-bitcoin/

 

[KevTech]

Just in case, let's all put on our tinfoil hats.

Don't be in violation of the area.

 

[AudiTuner]

To Briefly Sum Things Up:

 

[KGB7]

/facepalm

My Clinical Social Worker, will put me on suicide watch list for reading this thread.
Thanks a lot!


I miss the 90's afternoon Duck Tales and Tale Spin cartoons. The simpler times, when tin foil was used to wrap Thanksgiving left overs.


http://www.youtube.com/watch?v=8tKHlukQTik

 

[Ronv42]

I wonder about folks that use this statement "I don't have anything to hide". How upset would they be if their bank account numbers, PCI, PII, Medical History etc. was stolen and published?

Didn't Eric Schmidt from Google say if you want to hide something done use the internet? And then it was uncovered that the NSA had hacked Google and they were all up in arms.

I like my privacy and I do use as much security as possible for a home network. It keeps the script kiddies away but the pro's will always find a way in.

 

[mromero]

I wonder about folks that use this statement "I don't have anything to hide". How upset would they be if their bank account numbers, PCI, PII, Medical History etc. was stolen and published?

Didn't Eric Schmidt from Google say if you want to hide something done use the internet? And then it was uncovered that the NSA had hacked Google and they were all up in arms.

I like my privacy and I do use as much security as possible for a home network. It keeps the script kiddies away but the pro's will always find a way in.

Not to mention other information such as your sex orientation, viewing habits and other data that can be used to blackmail citizens into doing things they otherwise would never do.

But there will be people that shout down this type of information and try to ridicule you with tin foil and other crazed jokes as it is not in the interest of the government to have an educated and informed citizenry.

Have you heard of the Black Asphalt Intelligence Network? I have not seen it connected to routers - yet. But it is a good read on how intelligence is used to rob money from citizens.

"One of those firms created a private intelligence network known as Black Asphalt Electronic Networking & Notification System that enabled police nationwide to share detailed reports about American motorists — criminals and the innocent alike — including their Social Security numbers, addresses and identifying tattoos, as well as hunches about which drivers to stop."

http://www.washingtonpost.com/sf/investigative/2014/09/06/stop-and-seize/

 

[LoneWolf]

Not that this discussion didn't start completely off the rails, but...

The NSA has a lot better ways to take care of business than invading home routers. They can use AT&T, Verizon, Comcast, and others and get the data in the big closets. Why in heaven's name would they care about home routers when they have the bigger networks that data flows through?

They have the upstream source if they want it. That's a whole lot easier. This thread started out silly whether or not everyone is being watched, just because of the simple premise that hacking home routers would be the most PITA way for any government, be it the USA, China, EU, Russia, etc. to get a person's data. Far easier to use the telecoms and ISPs.