Looking for feedback: Anyone considering AiCloud important to them?

[RMerlin]

Is there an issue with WAN access if you are patched, have SSL cert with 2048 key length, and complex, long length, non-dictionary password, also the ability to lock down to certain IPs?

Yes. The web server is a custom made http daemon, and over the years there are constantly new security issues that are found, allowing to bypass authentication. Use a VPN instead.

 

[RMerlin]

There are a lot of people out there using Merlin firmware who don't even read these forums, and they still enjoy flipping every switch.

Because when malwares are so critical these days that they can wipe out wifi calibration data, killing wireless on your router, users who aren't aware of the existence of such issues may need to be protected somehow.

 

[raion969]

i dont usw Asus AI and i would be happy to remove all the useless features to free up some Ram

 

[Skillz]

The only time I 'used' AiCloud was to change its default web access port to a random port number so that I can re-use it's default port 443 for the HTTPS LAN port for my router

I wouldn't miss it at all if it was removed

View attachment 62445

View attachment 62446

I personally don't use this feature and also change the default 443 https lan port used in AiCloud so 443 is available for other purposes.

 

[RMinNJ]

Besides security what other advantages does removing it bring ? More avaliable RAM, stability? Just asking. Its one of those services Im afraid to enable even if available..even if needed.

 

[RMerlin]

i dont usw Asus AI and i would be happy to remove all the useless features to free up some Ram

There's no RAM to be freed. If you don't enable it, then it won't be running.

Besides security what other advantages does removing it bring ? More avaliable RAM, stability? Just asking. Its one of those services Im afraid to enable even if available..even if needed.

Just security. People not aware of the risks won't get burned the next time a new security issue arises in it.

 

[cptnoblivious]

@RMerlin you know it's going to be a PITA either way. You remove it, there'll be constant questions from people who don't read the README's asking where it is.
If it's left and there are more security issues, then people will be questioning why it was left when it was obviously an attack vector that's historically been exploited.

Typically "Security / Functionality / Ease of Use" tradeoff. I tend to err on the side of 'rip out the junk that causes issues' and when you have a thing that's supposed to increase security, being exploited and damaging routers and facilitating botnet activities, to me the preference is clear.

But that's just $0.02 Cdn

 

[Piotrek]

Just security. People not aware of the risks won't get burned the next time a new security issue arises in it.

Only for people who have it turned on, right?
It doesn't matter to people who have it turned off.

 

[DJones]

Only for people who have it turned on, right?
It doesn't matter to people who have it turned off.

Correct. But as people here have said numerous times their are people here that use Asuswrt-Merlin or in the future will use Asuswrt-Merlin that won’t read the forum or documentation who will use it because it’s there and was there in the stock versions.

Just because the vulnerability has been patched by ASUS now doesn’t mean it is invulnerable to future exploits. It has historically been proven to have been plagued as a malware attack vector that’s effective.

The issue isn’t with us that know better then to use it. It’s those that are ignorant to the risks who might use it that will suffer. The fault lies with ASUS not Merlin here he has no control over the feature except to yank it from the the firmware.

Anyways I know I’m bias here. Not trying to argue or anything if you use it your opinion to want to keep it is valid.

 

[Ripshod]

Correct. But as people here have said numerous times their are people here that use Asuswrt-Merlin or in the future will use Asuswrt-Merlin that won’t read the forum or documentation who will use it because it’s there and was there in the stock versions.

Just because the vulnerability has been patched by ASUS now doesn’t mean it is invulnerable to future exploits. It has historically been proven to have been plagued as a malware attack vector that’s effective.

The issue isn’t with us that know better then to use it. It’s those that are ignorant to the risks who might use it that will suffer. The fault lies with ASUS not Merlin here he has no control over the feature except to yank it from the the firmware.

Anyways I know I’m bias here. Not trying to argue or anything if you use it your opinion to want to keep it is valid.

I'm not biased, but I 100% agree.

 

[Unisoft]

Yes. The web server is a custom made http daemon, and over the years there are constantly new security issues that are found, allowing to bypass authentication. Use a VPN instead.

Crikey, that's worrying. If Asus cant secure a simple login page with only two fields on it, then how on earth can I trust the rest of the router for security?

Maybe time to look for longer term alternative then - don't what that is yet, but as the BE98 just cost as much as some business gear.........

As for AICloud, sounds sensible to consider removing it. Never used it anyway and always made sure that and some other stuff was disabled/off.

 

[DJones]

Crikey, that's worrying. If Asus cant secure a simple login page with only two fields on it, then how on earth can I trust the rest of the router for security?

Maybe time to look for longer term alternative then - don't what that is yet, but as the BE98 just cost as much as some business gear.........

As for AICloud, sounds sensible to consider removing it. Never used it anyway and always made sure that and some other stuff was disabled/off.

I think the bigger problem like exposing your UI router interface to the internet is that it relies on passwords. Even with a timeout and captcha that stops brute force attempts it doesn’t utilize 2FA or MFA rolling codes or something like fail2ban which would help. Still if a vulnerability is used in something like the web server outside of password guessing those methods still may not stop intrusion. Certainly a complicated issue, which is why you shouldn’t allow WAN incoming access directly to your router.

At least with VPN servers they don't use passwords they use private keys and they are highly scrutinized and tested and not limited to ASUS devices which allows vulnerabilities to be better detected.

If you host an actual server you have the same risks. Except hopefully you have a experienced IT guy who is using a much newer kernel and is receiving frequent updates and patches. ASUS only does updates with its routers maybe 2-3 times a year and they certainly don’t update the kernel except for backports. Which is terrible. Software in routers tend to be old.

 

[Treadler]

Aicloud not required here……

 

[RMerlin]

Crikey, that's worrying. If Asus cant secure a simple login page with only two fields on it, then how on earth can I trust the rest of the router for security?

The problem isn't that login page. It's various APIs that are accessible without authentication, parameters that may fail to be sanitized regardless of authentication, etc...

 

[virus_59]

Crikey, that's worrying. If Asus cant secure a simple login page with only two fields on it, then how on earth can I trust the rest of the router for security?

The problem isn't that login page. It's various APIs that are accessible without authentication, parameters that may fail to be sanitized regardless of authentication, etc...

Looks like it's time to throw this Asus piece of junk out the door and move on to something more solidly built. ;-)

 

[kuchkovsky]

Looks like it's time to throw this Asus piece of junk out the door and move on to something more solidly built. ;-)

Exposing the login page of your router to the internet is never a good idea, no matter what gear you use. If you really need remote access, you should use a VPN.

 

[virus_59]

Exposing the login page of your router to the internet is never a good idea

Why can I securely log into my bank and many other sites, but not into my router? Can't Asus even do something this simple?

I use VPN now, but if it were not necessary, it would be easier for me and other regular users.

 

[kuchkovsky]

Why can I securely log into my bank and many other sites, but not into my router? Can't Asus even do something this simple?

Because it requires constant patches and updates to the web server software, and still poses some level of risk. This makes sense for banks, as they are designed to be accessible from anywhere, but it doesn’t make much sense for a home router, which is meant to be a local device.

 

[virus_59]

a home router, which is meant to be a local device.

Do you really mean this?

Asus makes a lot of devices with internet connection. And making one universal and well-protected login page is not that difficult. I think.