Possible security issue with RT-N66U?!?

[vidarw]

Hi,
The case: Did some experimenting on shodanhq.com to have a look at possible security issues for my own RT-N66U router.

My findings are not very uplifting:

A basic search for "RT-N66U" reveals 50 000 units being available on the internet. Approx. 5% of tested units will give you access with admin:admin login.

Common factor for all of the open routers is that "Enable Telnet" and "Enable Web Access from WAN" is set to "No". When you check the firewall settings, it looks like the "Enable Firewall" also is set to "No".

With these settings the way they are, I'm pretty sure that anonymous WAN access with default credentials wasn't intended. And since the routers are not accessible by telnet protocol. I therefore assume that the HTTP access setting is some kind of flawed and listens to all ports. And that the "Enable Web Access from WAN" setting is based on firewall rules. Totally wrong in my opinion (as this setting should configure listening devices in the webserver, not updating your firewall).

My next concern is that the firewall might be disabled by default on these devices (or at least very easy to disable by accident). I'm currently running Tomato on my router, and not very keen to reflash it due my previous problems related to flashing Tomato.
Could someone with the default firmware (or merlin builds) please do me the favor to factory reset them and see what state the firewall is in after running the initial "Quick Setup"? (you can save/restore your old settings under Administration -> Restore/Save/Upload Setting).

Possible problematic firmwares:

3.0.0.4.374_720
3.0.0.3.90

 

[L&LD]

Why does something like the stats you provide concern you?

Nobody is going to do a factory restore to defaults just to tell you what the defaults are?

Just flash to RMerlin's build, ensure that the firewall is enabled and you should be good, no?

 

[RMerlin]

The firewall is definitely enabled by default. As for the default login, the wizard will specifically ask you to enter a new password, and Asus has even added a password strength display to help people chose a secure password.

The problem isn't the firmware's security. Those are mostly user-caused issues, or possibly routers that (accidentally?) got reset back to factory defaults, and nobody ever noticed it.

I've seen quite a few users totally disable the firewall BTW, because this and that said they should disable any firewall for their online games to work better. There is nothing Asus or anyone else can do about this.

When it comes to security, the weakest link is ALWAYS the end-user. Be it through social engineering or lack of understanding what they are doing, manufacturers and developers simply cannot protect against these type of security holes.

 

[vidarw]

Thank you for your answer Merlin. At least good to know that the firewall is supposed to be enabled by default. Even for the people who just runs through the wizard without setting a proper password.

But I'm still puzzled by why the "Enable web access" only modifies the firewall rules (mainly because the settings are found in Advanced_System_Content.asp instead of Advanced_BasicFirewall_Content.asp. I assumed (at least until yesterday) that these settings was NOT directly dependent on the firewall but modified the httpd (and sshd) binding rules.

Shouldn't the httpd be configured so that it is independent from the firewall.
Or at least the web interface be updated so the users are some kind of aware of the connection?

This leads me to another question. I've asked questions about the guest network feature before. And looks like ASUS implements this in the firewall.
Is the guest network feature also insecure when disabling the firewall?

 

[jim769]

I can verify for a fact that the firewall for both v4 and v6 Merlin build are indeed enabled by default.