Looking for feedback: Anyone considering AiCloud important to them?

[bennor]

This whole idea of cutting off AiCloud is like amputating your arm when it hurts. You don't do that, you try to heal it.

Of course, there's always a chance that it will happen again. But cutting it off is not a solution.

What is your reluctance to dumping AiCloud, which has had multiple security vulnerabilities over the years, and using VPN? Is it, as you said, just being "lazy"? Or is there some other more specific reason?

 

[bennor]

ASUSTOR and QNAP NAS’s got hit with ransomware a few years ago and guess what these companies did to restore users data. They said your SoL.

Same with the WD My Cloud line of devices that got hit with malware/ransomware a couple of years ago. In WD's case their solution was to End of Support a fair number of their NAS models and update the firmware on those EoS models to block internet access to them through WD's online MyCloud.com web portal and mobile apps (i.e. removing the "cloud" feature selling point for those EoS models) which perform a similar function to the Asus AiCloud feature. WD revamped and partially overhauled their My Cloud firmware as well. Users can still access their now EoS models by using VPN or similar. There were multi week long outages with WD's MyCloud.com and mobile app services while they dealt with a malware attack and security vulnerabilities. That will always be one of the problems when you have the manufacturer as a man-in-the-middle for remote access. At least with VPN one typically removes the manufacturer from being in the middle of the tunnel.

 

[MDM]

WiFi Radar was also removed for similar security-related reason (and it was unmaintained by broadcom), and by ASUS themselves!

 

[kaktus]

As long as the OpenVPN, WireGuard or local NAS (via USB) functionality exists I don’t see any reason to support AiCloud.

 

[ColinTaylor]

Here’s a really simple example. My understanding of how it works (may not be correct). AiCloud you will always have a man in the middle persistently connected to your router for file sync and other purposes.

I think you are misunderstanding how this works (or I'm not understanding your diagram). Perhaps you're thinking that there's a reliance on some sort of external cloud server hosted by Asus, which is not the case.

 

[kuki68ster]

Considering AiCloud's history, I am wondering if getting rid of it might not be a good idea. There are a now far better alternatives to achieve similar results (free/inexpensive cloud services, Plex, Jellyfin, a VPN, etc...)

Anyone for whom losing AiCloud in Asuswrt-Merlin would be a deal breaker for using the firmware?

(I know people who don't use it will say "just drop it", but I am more concerned in people who actually DO use it).

I've never used it and wouldn't miss it if it were removed.

 

[RMerlin]

You don't do that, you try to heal it.

Which I cannot do.

 

[DJones]

I think you are misunderstanding how this works (or I'm not understanding your diagram). Perhaps you're thinking that there's a reliance on some sort of external cloud server hosted by Asus, which is not the case.

ASUS AiCloud sync webstorage connects with a external from router ASUS website does it not? I don’t use the service so as I said I’m not very familiar with the features.

 

[ColinTaylor]

ASUS AiCloud sync webstorage connects with a external from router ASUS website does it not?

Sorry, I don't understand this sentence. Can you rephrase it.

But more to the point I don't think anyone here was discussing AiCloud Sync even though it's grouped under AiCloud 2.0. Of the 20+ routers I've seen that suffered the recent malware attack none of them had AiCloud Sync enabled, but all but one had Cloud Disk and/or Smart Access enabled.

 

[DJones]

Sorry, I don't understand this sentence. Can you rephrase it.

But more to the point I don't think anyone here was discussing AiCloud Sync even though it's grouped under AiCloud 2.0. Of the 20+ routers I've seen that suffered the recent malware attack none of them had AiCloud Sync enabled, but all but one had Cloud Disk and/or Smart Access enabled.

What I mean is AiCloud connects normally via mobile or pc application. These should be a direct connection with the exception of maybe ASUS DDNS. However if you do have ASUS’s webstorage enabled because it’s grouped under the same thing and users might be tempted to flip all the switches so to speak and use the service the router then has a persistent connection with the webstorage service using AiCloud sync.

But if your finding that’s not the point of where the vulnerability is then it’s not MITM just a issue with router vulnerabilities in the direct connection using Cloud Disk or Smart Access.

 

[ColinTaylor]

What I mean is AiCloud connects normally via mobile or pc application. These should be a direct connection with the exception of maybe ASUS DDNS. However if you do have ASUS’s webstorage enabled because it’s grouped under the same thing and users might be tempted to flip all the switches so to speak and use the service the router then has a persistent connection with the webstorage service using AiCloud sync.

But if your finding that’s not the point of where the vulnerability is then it’s not MITM just a issue with router vulnerabilities in the direct connection using Cloud Disk or Smart Access.

Yeah, there's been no suggestion that I'm aware of that this is anything other than a problem with Cloud Disk and Smart Access.

 

[MDM]

Opening Ports into Oblivion...?

 

[rung]

had Cloud Disk and/or Smart Access enabled.

That's really interesting. It seems to me, those two services would be the easiest to replace with a Merlin Addon that used open source methods to secure the connection instead of the router admin password. But I don't know enough what the client would need to be to replace the asus app for those services.

 

[DJones]

That's really interesting. It seems to me, those two services would be the easiest to replace with a Merlin Addon that used open source methods to secure the connection instead of the router admin password. But I don't know enough what the client would need to be to replace the asus app for those services.

The features already exist with nothing additional needed. Vpn server, use samba because when you tunnel in your within your LAN so it’s not opening up your samba to the internet per se. SSH and the router web interface works over vpn as well. Not sure what more you’d need that isn’t already available.

Any ssh or smb client will do the exact same thing most even can play video from the apps. And some have auto upload of camera rolls.

 

[rung]

The features already exist with nothing additional needed. Vpn server, use samba because when you tunnel in your within your LAN so it’s not opening up your samba to the internet per se. SSH and the router web interface works over vpn as well. Not sure what more you’d need that isn’t already available.

Any ssh or smb client will do the exact same thing most even can play video from the apps. And some have auto upload of camera rolls.

Yes. What I was trying to say that if those two features were replaced with a helper configuration page, it might help transition those who might use those features.

 

[m0rF1uS]

Which I cannot do.

And this should point you in the right direction - removing those features from your firmware. Plain and simple.

It’s not a popular feature. There are at least 2 simple alternatives for people who want to achieve the same result - setting up VPN and continuing to use Merlin or moving to official ASUS firmware and continuing to use the specific service.

Software needs to move forward and sometimes it’s okay to loose a specific functionality for security reasons. Same happened with WiFi Radar and I actually used that feature. Once removed I moved on and found other way to accomplish what I needed. It was the right call to remove it.

 

[Unisoft]

WAN access has to stay, if only for the fact that I actually need it for development purposes. All my development devices sit within my LAN, so their WAN interfaces are what is facing the rest of my LAN, and therefore when I connect to one to do some testing on it, I access it through its WAN interface.

Note that years ago I did add an alert() popup showing whenever someone enabled it, so they are being warned about the risks associated with it.

Is there an issue with WAN access if you are patched, have SSL cert with 2048 key length, and complex, long length, non-dictionary password, also the ability to lock down to certain IPs?

 

[Piotrek]

AiCloud is a very important and valued feature.

ASUS Deutschland

Entdecke die Welt von ASUS - Alles rund um die besten Mainboards, Grafikkarten, Monitore, Laptops und vieles mehr erfährst Du auf der offiziellen ASUS Seite.

www.asus.com

IMHO It should not be removed.

From what I read, almost all AsusWRT-Merlin users are advanced and do not use it.
If I understand correctly, when it is disabled, it cannot be hacked.
So why remove it if it does not pose a threat when disabled?
Or maybe AsusWRT-Merlin users are too advanced to click Disable in the panel?

@RMerlin Thank you for your work.

 

[Ripshod]

There are a lot of people out there using Merlin firmware who don't even read these forums, and they still enjoy flipping every switch.

 

[m0rF1uS]

AiCloud is a very important and valued feature.

ASUS Deutschland

Entdecke die Welt von ASUS - Alles rund um die besten Mainboards, Grafikkarten, Monitore, Laptops und vieles mehr erfährst Du auf der offiziellen ASUS Seite.

www.asus.com

IMHO It should not be removed.

From what I read, almost all AsusWRT-Merlin users are advanced and do not use it.
If I understand correctly, when it is disabled, it cannot be hacked.
So why remove it if it does not pose a threat when disabled?
Or maybe AsusWRT-Merlin users are too advanced to click Disable in the panel?

@RMerlin Thank you for your work.

There was a YT video of a guy few years ago that installed latest version of Windows XP and then just connected it to the internet and waited. virus after virus after virus.

So in the same line of thoughts - win xp is very secure when kept offline. Why people need to upgrade to win 7, 10, 11, etc… if they don’t use the internet. But they do, and they will.