[Official Release] AiMesh Firmware v3.0.0.4.384.20308 for All Supported Products

[OzarkEdge]

Am I being overly paranoid? Has this been resolved to the satisfaction of everyone else here?

Yes and yes. It's resolved in that it has been voluntarily reported to ASUS. If you are unhappy, restore the firmware you received with your router and use it. That's the deal.

OE

 

[RandomName23]

Yes, this would make sense. But, if that were indeed the case, couldn't @arthurlien have just said it's a requirement for Aimesh to function? So as far as I know, he has not confirmed this. In fact, it would seem others on this forum have had it disabled in nvram and have seen no ill effects, so the fact that it's always on is still odd, at least without some kind of official confirmation that it's necessary by design.

You mean like when you disable WPS and it pops up a box that says "If you disable WPS, it will affect the Aimesh Wifi connectivity. Are you sure to process?"

 

[Quad80]

Yes and yes. It's resolved in that it has been voluntarily reported to ASUS. If you are unhappy, restore the firmware you received with your router and use it. That's the deal.

OE

Fair enough. I'll shut up about it.

 

[RandomName23]

I've never used it either. The notes in the UI don't really answer all my questions, unfortunately. The issue here is that my limited knowledge is such that it makes it hard to understand the exact issue and whether or not Asus is addressing it. The wiki entry for WPS does not necessarily say the push button method resolves the known security issues, first discovered in 2011. What it does say, is "Vendors could also patch the vulnerability by adding a lock-down period if the Wi-Fi access point detects a brute-force attack in progress, which disables the PIN method for long enough to make the attack impractical." Impractical, but not impossible. I suppose impractical is largely sufficient for someone such as myself, but how Asus routers may or may not protect themselves from these attacks still isn't clear.

From what I'm hearing here, it would seem that a physical/virtual initiation/opening of WPS discovery mode by button press would keep WPS secure until such a time as said button is pressed, and then it would only open until a connection is made or for a window of up to ~2 minutes, then it closes off. In the non-discovery mode, it should not be possible to connect anything via WPS. However, this does not seem to be explicitly stated anywhere that I can find (certainly not in the wiki).

I would assume that Asus would have this under control, but as is clearly indicated in the wiki for WPS, there are/were OEMs that had toggles to switch on/off WPS that didn't actually work, so it's not like manufacturers always get things right.

I feel I must stress I'm not trying to be argumentative. I'm simply trying to understand what may or may not be happening here, at least for my knowledge if nothing else. I'm not personally overly concerned someone is going to try to hack my WiFi, but, likewise, if there is a security issue here, it should be squashed quickly. I'm starting to feel like this is under control, but still a few nagging questions here.

The RT-AC5300 says this when you enable WPS.

You can easily connect a WPS client to the network in either of these two ways:

• Method1: Click the WPS button on this interface (or press the physical WPS button on the router), then press the WPS button on the client's WLAN adapter and wait for about three minutes to make the connection.
• Method2: Start the client WPS process and get the client PIN code. Enter the client's PIN code on the Client PIN code field and click Start. Please check the user manual of your wireless client to see if it supports the WPS function. If your wireless client does not support the WPS function, you have to configure the wireless client manually and set the same network Name (SSID), and security settings as this router.

Both of the options require physical input to connect a client.

 

[RandomName23]

Client list on nodes to include band connected to

Would love this in the UI myself. Just FYI, the iOS app does show this if you need it. I'm sure Android is probably the same.

 

[Quad80]

Would love this in the UI myself. Just FYI, the iOS app does show this if you need it. I'm sure Android is probably the same.

Can confirm, Android app shows to which band client is connected.

 

[RandomName23]

Hrre is my bucket list for AiMesh:

Guest accounts working on nodes
Mac filtering by nodes
Being able to schedule reboots of nodes
Client list on nodes to include band connected to
Fix the client listing, never works

Also, for those of you with wishlists make sure you use the feedback function in the router and let them know. I have done this for the guest network and the client list myself.

 

[OzarkEdge]

Also, for those of you with wishlists make sure you use the feedback function in the router and let them know. I have done this for the guest network and the client list myself.

I've been adding them to my install laundry list.

OE

 

[SeeSawSam]

wow. my eyes are tired of reading about what could be learned about WPS with a few simple google searches. Reminder: Search this forum AND THE INTERNET before thinking out loud. Thx. No offense intended, if it sounds like I'm being passively aggressive with my wording.

But while on the subject of WPS, I read a comment here that no one uses it, that its old and outdated, etc. This isn't the world I see around me. I see users everywhere trying to get their cheapo webcams online and WPS is often-times their only path (Bluetooth usually possible too). This is the new norm. I don't like it, but its the reality.

EDIT

Oh and since I no doubt sound like i'm ranting, I may as well rant a small bit. Let's PLEASE toss a thank you or similar niceity when dealing with folks like ArthurLien. Lets please don't drive off our talented insider. Thx all.

 

[Quad80]

wow. my eyes are tired of reading about what could be learned about WPS with a few simple google searches. Reminder: Search this forum AND THE INTERNET before thinking out loud. Thx. No offense intended, if it sounds like I'm being passively aggressive with my wording.

But while on the subject of WPS, I read a comment here that no one uses it, that its old and outdated, etc. This isn't the world I see around me. I see users everywhere trying to get their cheapo webcams online and WPS is often-times their only path (Bluetooth usually possible too). This is the new norm. I don't like it, but its the reality.

EDIT

Oh and since I no doubt sound like i'm ranting, I may as well rant a small bit. Let's PLEASE toss a thank you or similar niceity when dealing with folks like ArthurLien. Lets please don't drive off our talented insider. Thx all.

Dude. I did the searches here and elsewhere. That's where the confusion came from. Calm down. It's not as clear as you might think. There were some worthwhile discussions about a possible security vulnerability in the service, because it doesn't appear to work the way one would expect. I'll refrain from commenting further, as this is generally a very positive and helpful place and I won't be the one to bring it down.

Anyway, I think you'll also see that @arthurlien gets a lot of thanks and appreciation from everyone here, myself included. It's well earned. He's a rockstar. We're all on the same side here, trying to understand what's going on and to identify and fix bugs. @RandomName23, @RMerlin, @OzarkEdge, and others are extremely helpful people and I'm ever thankful for all of their input. But maybe not everyone is as smart as you seem to be about this stuff, so let's just keep that in mind.

 

[RandomName23]

But while on the subject of WPS, I read a comment here that no one uses it, that its old and outdated, etc. This isn't the world I see around me. I see users everywhere trying to get their cheapo webcams online and WPS is often-times their only path (Bluetooth usually possible too). This is the new norm. I don't like it, but its the reality.

For what it is worth Orbi uses push button WPS (they call it a sync button) to connect its nodes as well and you can’t even disable it at all on the main router. It’s definitely still alive and kicking and not really a security issue since it requires physical input.

 

[Quad80]

For what it is worth Orbi uses push button WPS (they call it a sync button) to connect its nodes as well and you can’t even disable it at all on the main router. It’s definitely still alive and kicking and not really a security issue since it requires physical input.

So I'm still reading on WPS. Everyone here says a button must be pressed to initiate a pairing. However, Asus' own FAQ (https://www.asus.com/us/support/FAQ/1010683/) clearly states ASUSWRT must support PIN to be compliant with the WPS standard.

Further, it acknowledges "WPS(Wi-Fi Protected Setup) is a network security standard that attempts to allow users to easily secure a wireless home network but could fall to brute-force attacks if one or more of the network's access points do not guard against the attack."

It says right there that an AP (node) can be vulnerable to brute force attacks. If the node still has WPS enabled (as demonstrated by a wifi scanner) and there is a required PIN option (which is what I assume AP PIN Code is in the settings; an eight digit code that's really 4+3+checksum), then how is it *not* vulnerable to attack? This is Asus' own FAQ from July 2017.

To add to the confusion, you have this FAQ (https://www.asus.com/support/FAQ/1011434), which repeats the idea that a button must be pushed or a client PIN must be entered, but it's from 2015 (so older) and it doesn't say a word about the AP PIN Code setting. I can't seem to find any specific info on this AP PIN Code setting, but I don't know what else it could be (is it just there to be compliant but otherwise not functioning?)

For additional reference, this site (https://routersecurity.org/wps.php) goes into more detail about various issues, including using the WiFi app on Android that I use, to ID networks using WPS (not just WPS capable) signals.

The conclusion users here have is that push button means you must have physical access to the router to activate WPS, but this does not explain the presence of the AP PIN Code.

It also seems that this forum's conclusion is that "that's just how it is, either accept it or stop using it." True enough that any user that believes there is a security concern should move on. However, if the WPS vulnerability is indeed expressed by an AiMesh node keeping it open despite it being disabled at the router settings (regardless of reason), then this should be made known so people are fully aware and can make an informed decision. Otherwise, I find it not much different than the routers of old (e.g., Linksys) where the WPS toggle was effectively useless and WPS remained always on until a firmware update was released (if it ever even was).

I apologise for the wall of text and continued discussion, but contrary to some accusations, I *am* reading up on this topic quite a bit and I still have some concern there is a flaw with this firmware that hasn't been properly addressed yet. This does not take away from the efforts of Arthur or anyone else, but this matter does not feel resolved.

I can understand if people want to block me now. No hard feelings. Ya'll keep being awesome.

 

[OzarkEdge]

But while on the subject of WPS, I read a comment here that no one uses it, that its old and outdated, etc. This isn't the world I see around me. I see users everywhere trying to get their cheapo webcams online and WPS is often-times their only path (Bluetooth usually possible too). This is the new norm. I don't like it, but its the reality.

True enough. I was over generalizing historical usage of WPS. Today, with the rise of cheap and simplified IoThings and the increasing number of next generation consumers buying them, push button networking is as you say, a new norm. Having lived the past, I don't like it either for likely similar reasons.

Ironically, I'm waiting the arrival of my first such Thing and will be pushing its WPS button, no doubt. I have mixed feelings about it, and much distrust. But I could not resist clever and cheap. And I wish I had a working 2.4 GHz guest network on my AiMesh node to keep it quarantined.

So there you have it... we've successfully argued the IoT case for AiMesh guest networking on every node... a new norm.

OE

 

[SeeSawSam]

quad80, thx for "refraining". I see you slipped a bit later but I forgive you. now, onward and upward. OE, I loved your first paragraph. Perfectly stated.

 

[slimwallet]

My user-defined qos rules kept on disappearing. Do anyone have the same problem? All other settings stays but qos rules randomly just erase itself. (RT-AC86U)

 

[RandomName23]

So I'm still reading on WPS. Everyone here says a button must be pressed to initiate a pairing. However, Asus' own FAQ (https://www.asus.com/us/support/FAQ/1010683/) clearly states ASUSWRT must support PIN to be compliant with the WPS standard.

Further, it acknowledges "WPS(Wi-Fi Protected Setup) is a network security standard that attempts to allow users to easily secure a wireless home network but could fall to brute-force attacks if one or more of the network's access points do not guard against the attack."

It says right there that an AP (node) can be vulnerable to brute force attacks. If the node still has WPS enabled (as demonstrated by a wifi scanner) and there is a required PIN option (which is what I assume AP PIN Code is in the settings; an eight digit code that's really 4+3+checksum), then how is it *not* vulnerable to attack? This is Asus' own FAQ from July 2017.

To add to the confusion, you have this FAQ (https://www.asus.com/support/FAQ/1011434), which repeats the idea that a button must be pushed or a client PIN must be entered, but it's from 2015 (so older) and it doesn't say a word about the AP PIN Code setting. I can't seem to find any specific info on this AP PIN Code setting, but I don't know what else it could be (is it just there to be compliant but otherwise not functioning?)

For additional reference, this site (https://routersecurity.org/wps.php) goes into more detail about various issues, including using the WiFi app on Android that I use, to ID networks using WPS (not just WPS capable) signals.

The conclusion users here have is that push button means you must have physical access to the router to activate WPS, but this does not explain the presence of the AP PIN Code.

It also seems that this forum's conclusion is that "that's just how it is, either accept it or stop using it." True enough that any user that believes there is a security concern should move on. However, if the WPS vulnerability is indeed expressed by an AiMesh node keeping it open despite it being disabled at the router settings (regardless of reason), then this should be made known so people are fully aware and can make an informed decision. Otherwise, I find it not much different than the routers of old (e.g., Linksys) where the WPS toggle was effectively useless and WPS remained always on until a firmware update was released (if it ever even was).

I apologise for the wall of text and continued discussion, but contrary to some accusations, I *am* reading up on this topic quite a bit and I still have some concern there is a flaw with this firmware that hasn't been properly addressed yet. This does not take away from the efforts of Arthur or anyone else, but this matter does not feel resolved.

I can understand if people want to block me now. No hard feelings. Ya'll keep being awesome.

If you are that concerned go buy a $20 WPS capable wifi adapter and test things out or run the NVRAM commands to turn it off. Pin based WPS is the only WPS standard there is but it is insecure because it can be brute forced which is why a lot of routers don't implement it (they implement push button WPS instead or client pin). Nobody said Asus is WPS compliant, they just offer WPS implementations...big difference. Anyways, this has been explained many times. There is no security risk here, move on.

 

[Quad80]

If you are that concerned go buy a $20 WPS capable wifi adapter and test things out or run the NVRAM commands to turn it off. Pin based WPS is the only WPS standard there is but it is insecure because it can be brute forced which is why a lot of routers don't implement it (they implement push button WPS instead or client pin). Nobody said Asus is WPS compliant, they just offer WPS implementations...big difference. Anyways, this has been explained many times. There is no security risk here, move on.

Can you please explain what AP PIN Code is? I searched and can't find a direct explanation. The GUI doesn't explain it, the FAQs don't either.

 

[Eric Lieb]

Anyone else have an issue with openvpn on this firmware? If I select to redirect lan and internet on a tap openvpn connect then the clients internet won't work. Never had this problem on merlinwrt... Also wish they would allow more than 1 openvpn server instance

 

[RandomName23]

Can you please explain what AP PIN Code is? I searched and can't find a direct explanation. The GUI doesn't explain it, the FAQs don't either.

Most likely if you are setting the device up as an AP and you are using the Client Pin Code WPS option then you would enter that pin into the main router during WPS discovery.
Just to muddy your waters more, there is also NFC WPS which is I believe what Aimesh uses to setup the nodes and why the nodes have to be in close proximity to the main router during initial setup.

 

[Quad80]

Most likely if you are setting the device up as an AP and you are using the Client Pin Code WPS option then you would enter that pin into the main router during WPS discovery.
Just to muddy your waters more, there is also NFC WPS which is I believe what Aimesh uses to setup the nodes and why the nodes have to be in close proximity to the main router during initial setup.

Yes, I've read up on NFC, too, though you might think this would be documented somewhere if it we're what Asus was using for setup.

Your guess sounds plausible about the PIN, but I was also hoping there would be some documentation that would spell it out. If there is, I can't seem to find it.

I know I'm pushing buttons (pun not intended) but I feel it important to exhaust this, as security is ever more important these days.

For the record, I realized just now my new work printer has WPS capabilities, but apparently not the kind where I can enter a PIN into it, just the push button. Maybe I have a legacy device buried somewhere in my basement that supports it. I'll have to look.