What's new

SOHOpelessly Broken 2.0

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

WiFiNemesis

Regular Contributor
"Today, we show that security controls put in place by device manufacturers are insufficient against attacks carried out by remote adversaries."

Looks to be a well-documented report from ISE: vulnerabilities found in ASUS RT-AC3200, Netgear Nighthawk R9000, and several NAS products.

SOHOpelessly Broken 2.0

Among the conclusions...

"We have seen that the vendors of Internet of Things devices have increased their presence in the security community, albeit without any substantial increases to device security. "
 
At least they worked with Asus to fix the bugs. :)
Version 3.0.0.4.382.51374

2019/01/18

ASUS RT-AC3200 Firmware version 3.0.0.4.382.51374
Security fixes
- Fixed CVE-2018-14710, CVE-2018-14711, CVE-2018-14712, CVE-2018-14713, CVE-2018-14714. Thanks for Rick Ramgattie's contribution.
 
"Today, we show that security controls put in place by device manufacturers are insufficient against attacks carried out by remote adversaries."

Looks to be a well-documented report from ISE: vulnerabilities found in ASUS RT-AC3200, Netgear Nighthawk R9000, and several NAS products.

SOHOpelessly Broken 2.0

Among the conclusions...

"We have seen that the vendors of Internet of Things devices have increased their presence in the security community, albeit without any substantial increases to device security. "
Do not use a consumer router because they are insecure. Only use a business class router with vetted and updated firmware. That's why most of you are subject to invasion. This dead site has no advice on security, except possibly the old PfSense article. Openwrt is updated, pfsense is ok, mr. super expert says Peplink, Turris Omnia, and Draytek. Everything on this site is consumer junk, so is cisco. Beware. Get your routing knowhow elsewhere to survive router insecurity. asus is junk, netgear is junk, merlin is junk!
 
I can't speak about the other devices they checked, but for their reported Asuswrt issues, this report is nothing but clickbait. The whitepaper dated today reports findings in a firmware released in January 2018 (nearly two years old), and which were already fixed almost a year ago.

What's next, will they publish a report on security issues found in Windows Vista?
 
Do not use a consumer router because they are insecure. Only use a business class router with vetted and updated firmware. That's why most of you are subject to invasion. This dead site has no advice on security, except possibly the old PfSense article. Openwrt is updated, pfsense is ok, mr. super expert says Peplink, Turris Omnia, and Draytek. Everything on this site is consumer junk, so is cisco. Beware. Get your routing knowhow elsewhere to survive router insecurity. asus is junk, netgear is junk, merlin is junk!

Cisco tracks it and reports all the vulnerabilities on their web site for each piece of small business hardware. They write fixes for all hardware still being supported. Cisco also posts work arounds until the code is fixed. Cisco is aware of what is going on. So I believe you are wrong. Yes Cisco pro gear is better but is too expensive for home use. I do like IOS better.

Cisco layer 3 switches are great for the price. I don't think you can beat them.
 
This report is BS. The Asus CVEs they report were already fixed a year ago...
Yeah, that's what I thought. Not sure why everyone is in a tizzy. And why is it being reported now? 3.0.0.4.382.50010 is well over a year ago...
 
Yeah, that's what I thought. Not sure why everyone is in a tizzy. And why is it being reported now?

Because a lot of "security researchers" are more interested in the mass publicity to sell their professional services than in genuinely trying to help the software world become a safer place for everyone. Find a catchy names, then rush to a few public outlets. Then general news sites who do zero validation of the information will just keep parroting the report. And you get what you have here. A lot of people suddenly thinking that their router/NAS is a security disaster.

Linus Torvalds had quite a few choice words about today's security researchers a year or two ago...

I only validated their Asus findings (which were made on a firmware released in January 2018 - 21 months ago), but I wouldn't be surprised if their reports for the other manufacturers were mostly just as outdated.
 
Because a lot of "security researchers" are more interested in the mass publicity to sell their professional services than in genuinely trying to help the software world become a safer place for everyone. Find a catchy names, then rush to a few public outlets. Then general news sites who do zero validation of the information will just keep parroting the report. And you get what you have here. A lot of people suddenly thinking that their router/NAS is a security disaster.

Linus Torvalds had quite a few choice words about today's security researchers a year or two ago...

I only validated their Asus findings (which were made on a firmware released in January 2018 - 21 months ago), but I wouldn't be surprised if their reports for the other manufacturers were mostly just as outdated.

Asus isn't exactly slow to react, either; before I even knew Merlin existed, I was drawn to Asus for their open-source aspect. I got sick and tired of other manufacturers leaving gigantic holes and never patching a $300 router. Routers made by some of the 'big manufacturers' aren't patched ever; imagine using a combo unit from your cable company? Was surprised to see Asus thrown under the bus, figured I'd share here.
 
And one reason why it bothers me so much is because I have to waste a good amount of time and energy every time such reports come out to a) validate them, and b) reassure the end-users if it turns out there is nothing to worry about.

Mind you, I'm not blaming you or any other regular end-user reaching to me asking me about this, but I blame the original researchers, and the media outlets reposting the news with no proper validation, often putting their own dramatic spin on top of it to make it into even more attractive clickbaits.

I actually forwarded that info to one of my contacts at Asus who deals with actual security issues, a couple of days ago. He said he would look into it.
 
I got sick and tired of other manufacturers leaving gigantic holes and never patching a $300 router. Routers made by some of the 'big manufacturers' aren't patched ever; imagine using a combo unit from your cable company? Was surprised to see Asus thrown under the bus, figured I'd share here.

Asus used to be just as bad as most of them (tho not as bad as that manufacturer who frequently got caught with backdoors in their routers). It's only after the AiCloud disaster (which was internally dubbed "Asusgate") and the FTC settlement that they started taking it more seriously.

These days they are doing a pretty good job at handling any reported issues.

In a few recent cases the reporter who found a flaw would contact me first (since I'm quite visible within the community), and I'd put him in touch with the proper contact back at Asus HQ. And usually we'd both hear back within a few days about their own investigation. As far as I can remember, all reported issues were taken care of, and fixed in the next firmware release (unless they were found out not to be exploitable issues - it has happened once or twice).
 
And one reason why it bothers me so much is because I have to waste a good amount of time and energy every time such reports come out to a) validate them, and b) reassure the end-users if it turns out there is nothing to worry about.

Mind you, I'm not blaming you or any other regular end-user reaching to me asking me about this, but I blame the original researchers, and the media outlets reposting the news with no proper validation, often putting their own dramatic spin on top of it to make it into even more attractive clickbaits.

I actually forwarded that info to one of my contacts at Asus who deals with actual security issues, a couple of days ago. He said he would look into it.

Oh I don't care, I don't take it personally. If you take things on the internet personally, might as well just unplug your modem. I sense the frustration and it appears that it is founded. I wasn't even really asking a question, albeit I formed it as one. I looked at the date of the firmware image in question AFTER I posted here, and started scratching my head as to why on earth it was "news" for Asus.

I am no router expert (I'm a DNS guy!); by a stroke of luck I found Asus a few years ago.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top