SOHOpelessly Broken contest finds vulnerabilities in ASUS RT-AC66U

[LoneWolf]

Interesting article regarding a contest at this year's DefCon:

http://www.computerworld.com/s/arti...lities_reported_during_router_hacking_contest

Seven attacks resulted in full compromises and these were performed against the ASUS RT-AC66U, the Netgear Centria WNDR4700 (which suffered two separate hacks), the Belkin N900, the TRENDnet TEW-812DRU and a router made by Actiontec Electronics and provided by Verizon Communications to its subscribers.

 

[ddarko]

It's not exactly a surprise that smart and determined hackers can break security. However, this is the discouraging part of the article:

One interesting aspect is that only four of the reported vulnerabilities were completely new. The other ones had been discovered and patched in the past in other router models from the same manufacturers, but the vendors did not fix them in the routers selected for this competition.

This failure to patch vulnerabilities across product lines is completely on the vendors and suggest that their internal bug management processes is broken.

 

[roscolo]

Can't speak to the other routers, but in the case of the RT-AC66u, they "hacked" months old, not-up-to-date firmware.

 

[F5ing]

Can't speak to the other routers, but in the case of the RT-AC66u, they "hacked" months old, not-up-to-date firmware.

That's the same info I saw about this a couple/three days ago. Found the article via a link from Sans ISC. The article mentioned no specifics on the hacks and the links contained in the article didn't reveal much of anything either.

 

[Widmark]

Can't speak to the other routers, but in the case of the RT-AC66u, they "hacked" months old, not-up-to-date firmware.

Which version was hacked and is there any reason to believe the vulnerability(s) was(were) patched in the latest official release (ver 3.0.0.4.376_1123)?

If answer to last question is no, does anybody know if Merlin is any more or less secure against these hacks?

I think the AC66u is in wide use since it has been a good router, but perhaps that makes it more vulnerable to attack since it offers more targets for hackers and is worth their time.

 

[KGB7]

I'm not surprised at all. These routers are mass produced to make the most profit in a shortest period of time, then move on to a next product.

Even high end products get hacked that are used by financial institutions and Governments around the globe.

 

[F5ing]

It's been a few days since I read the articles on this so I don't if any new details have surfaced.

But I really wonder about how they go about doing these contests. Are these brand new, out of the box routers they install and commence to hack? Beside the fact the routers may or may not have up to date firmware, are they even bothering to configure them securely before hacking? Default Admin user name and password, WAN access enabled for Admin/SSH/telnet, unsecured wifi networks, WPS enabled, etc...?

 

[KGB7]

It's been a few days since I read the articles on this so I don't if any new details have surfaced.

But I really wonder about how they go about doing these contests. Are these brand new, out of the box routers they install and commence to hack? Beside the fact the routers may or may not have up to date firmware, are they even bothering to configure them securely before hacking? Default Admin user name and password, WAN access enabled for Admin/SSH/telnet, unsecured wifi networks, WPS enabled, etc...?

Let me put it in lamen firms. If you went to a Defcon, I highly recommend you don't bring any electrictronic devices with you. If own a VHS player, keep it at home in a fire proof safe. As hackers that attend Defcon will hack your VHS player from 10yards away.
If you have a pacemaker, leave it home as they to will hack it.
Many of these people are on FBI watch list if FBI knows they exist. If Einstein was a hacker, Defcon is filled with such people.

To answer your question. Highest security was put in place for each router as it allows it.
Think of it as a Manhattan project.

 

[Widmark]

Firmware version

Unless the vulnerability of the routers in this hackathon was a result of a flaw in the chip design that is unfixable by firmware update, then they should always disclose the firmware version tested with each router. That tells us which firmware to avoid if not the router itself, and once the router manufacturer and its customers are on publicly on notice about the flawed firmware version, it's easier to track progress, or lack thereof. Then folks can make intelligent decisions about which router to own.

Releasing unsecurable routers is a material defect and even the cheapest routers should be secure, or made secure quickly through firmware updates. There should be standards for routers like HIPPA for medical records or lemon laws for cars. If you have an unfixed security flaw in the first few years of the routers life, it should be returnable as a lemon.

I bought the AC66U to replace a Linksys router that I don't believe ever had more than 2 firmware updates even after it was known to be flawed in implementation of WPS disabling and UPnP. The AC66u firmware is periodically updated and I had checked this before buying. Also, there is Merlin firmware. That's why it shocked me that ASUS routers in the hackathon were completely compromised, as opposed to a limited breach. ASUS seems like the only manufacturer of consumer grade routers who actually supports them after the sale.

 

[F5ing]

Yeah, it was a bad post.

Let me put it in lamen firms. If you went to a Defcon, I highly recommend you don't bring any electrictronic devices with you. If own a VHS player, keep it at home in a fire proof safe. As hackers that attend Defcon will hack your VHS player from 10yards away.
If you have a pacemaker, leave it home as they to will hack it.
Many of these people are on FBI watch list if FBI knows they exist. If Einstein was a hacker, Defcon is filled with such people.

Well aware of all the hacking that goes on there. Again, it was a bad post for this particular thread, considering where the contest was held.

To answer your question. Highest security was put in place for each router as it allows it.
Think of it as a Manhattan project.

Did you see that in the article (or contained links)? I didn't see it. And one of the linked articles suggested users do the standard security stuff with passwords, WPA2, etc.

I guess my point was that hacking/vulnerability articles, in general, lack the details the general public can use to help themselves. So many are click-bait BS (again, not necessarily this one).

 

[Richard1864]

The hackathon rules required the routers to have latest firmware, so there was no out-of-date firmware on any of the routers.

Asus already has update planned for the 66U fixing the flaws, due out in next 7-10 days or so.

No such thing as a completely secure router as all firmware has holes; just doesn't mean they've been found yet.

WPA3 is due out in next 3 months due to multiple unpublished flaws in WPA2. One advantage to WPA3 is that all connected devices use VPN to the router at maximum device encryption; i.e., Windows and Android devices out of the box at 128-bit encryption VPN, Apple and other devices with Unix-based OSes with 512-bit VPN. Each device works with router to generate new 30-50 character network passwords every 30 seconds after initial connection.

WPA3 pre-release already built into iOS 7.1.2 and later, and Android 4.4.4 and later. Can't be used or accessed yet since no routers able to use it yet. Will be part of Windows 9. Microsoft won't make it part of Windows 8.1 or earlier, don't know why.

 

[F5ing]

Will be part of Windows 9. Microsoft won't make it part of Windows 8.1 or earlier, don't know why.

I think they've given up on promoting Windows 8.x and are focusing almost exclusively on 9. I think there's a fairly good chance that sometime after 9 comes out they'll include it in an update to 8. After all, 8 will still be in mainstream support (until Jan 2018 patch Tuesday) by the time 9 comes out.

 

[Widmark]

The hackathon rules required the routers to have latest firmware, so there was no out-of-date firmware on any of the routers.

Asus already has update planned for the 66U fixing the flaws, due out in next 7-10 days or so.

No such thing as a completely secure router as all firmware has holes; just doesn't mean they've been found yet.

If ASUS patches the flaws well in that time that's another reason to buy one of their routers.

On the other hand, the 66U was completely opened up in a very short time frame. True, no router is secure... But opening it up quickly and completely is a disgrace lets face it. If that was your router opened up with sensitive data stolen you would be very very unhappy.

 

[sinshiva]

can anybody at least say *WHAT* was vulnerable? lol

the only possible remote access vector i can think of would pertain to aicloud. of course, people could expose http/https/ssh to the wan. people would like to know, at least, what they should NOT expose to the wan...

nobody has given any details as to what the configuration looked like for the contest. do they not want to admit they were using webadmin port 80 wan-side?

 

[Richard1864]

can anybody at least say *WHAT* was vulnerable? lol

the only possible remote access vector i can think of would pertain to aicloud. of course, people could expose http/https/ssh to the wan. people would like to know, at least, what they should NOT expose to the wan...

nobody has given any details as to what the configuration looked like for the contest. do they not want to admit they were using webadmin port 80 wan-side?

They haven't published that information yet. They could have gotten in via Telnet, the UI, firewall,,...we don't know.

 

[roscolo]

The hackathon rules required the routers to have latest firmware, so there was no out-of-date firmware on any of the routers.

The firmware they "hacked" for the RT-AC66U was 5517, a few months old. The latest is 1123 released July 7, 2014. Can't speak to the other routers, but the firmware they stated in the rules for the RT-AC66U required 5517, and so was indeed out-of-date.

 

[RMerlin]

Just to ensure there isn't any confusion, there were actually two different events there:

- One "Capture-the-flag" event where they used KNOWN vulnerable routers. One of the test subject was an RT-AC66 running an 18 months old firmware (I forgot the exact version they used).
- One where they tested routers with up-to-date firmwares.

The initial post in this thread referred to the latter, so the tested router was supposed to be running the latest firmware available at that time for that particular model.

Unfortunately as pointed out, it's hard to know what actually was compromised with the Asus router in particular, whether it was an issue already patched on other models with newer firmwares or not.

Having observed Asus going through a frenzy of security-related updates last spring, I'm not too worried however. I'm pretty sure Asus will resolve any new vulnerability once they get the complete disclosure. Their track record at updating even older products is fairly good.

My personal opinion: Asuswrt has both advantages and flaws versus competitors.

Advantages:
- Firmware is developed in-house, so no surprise from some dirty external developer (which is what happened with the DLink backdoor - firmware was developed by Alpha Networks, so DLink most likely had no knowledge of it)
- Unified codebase, so a security fix done for an RT-AC87U can trickle all the way down even to years-old RT-N16s or RT-N12.
- No "open management API" of any kind (that was an attack vector with Linksys)
- The vast majority of the source code is available for review (unlike for example Linksys)

Disadvantages:
- The old Tomato code combined with all the conditional code Asus added to support different models is getting a bit messy, and difficult to maintain/audit
- AiCloud is an open door to the outside, with its guts being closed source, so they can't be analyzed by security experts

Mixed-bag:
Just like other manufacturers, Asus isn't always very proactive in updating components. They now regularly update some components such as radvd and dnsmasq, and they also started updating openssl to keep up with recent security fixes, however other bits like Busybox or vsftpd are quite old. Miniupnpd hasn't been updated by them either, but I am not aware of any security issue that was fixed after the version they are currently using.


My personal advice:

If you are worried about security, then I'd recommend keeping AiCloud and WAN remote management disabled, as these are the most sensitive bits, being WAN-exposed. I'm not too worried about UPnP because at that point, if something can manipulate your router through UPnP, then it means you are ALREADY compromised anyway, so you have other problems to resolve. I would also recommend against using the USB disk sharing for anything sensitive. Your MP3 collection might be fine, but don't put your personal bedroom adventures videos on there. Just in case.

 

[RMerlin]

WPA3 is due out in next 3 months due to multiple unpublished flaws in WPA2. One advantage to WPA3 is that all connected devices use VPN to the router at maximum device encryption; i.e., Windows and Android devices out of the box at 128-bit encryption VPN, Apple and other devices with Unix-based OSes with 512-bit VPN. Each device works with router to generate new 30-50 character network passwords every 30 seconds after initial connection.

WPA3 pre-release already built into iOS 7.1.2 and later, and Android 4.4.4 and later. Can't be used or accessed yet since no routers able to use it yet. Will be part of Windows 9. Microsoft won't make it part of Windows 8.1 or earlier, don't know why.

You have any source for this information? The VPN bit for instance makes no sense to me. Encryption is what it is, you don't need to add the overhead of a full-blown VPN protocol on top of it, it will already be secure if you encrypt all the actual traffic, and have a solid method of exchanging keys.

Key rotation is already part of WPA2, most routers default to a 3600 seconds rotation.

 

[KGB7]

can anybody at least say *WHAT* was vulnerable? lol

the only possible remote access vector i can think of would pertain to aicloud. of course, people could expose http/https/ssh to the wan. people would like to know, at least, what they should NOT expose to the wan...

nobody has given any details as to what the configuration looked like for the contest. do they not want to admit they were using webadmin port 80 wan-side?

And you won't see what was vulnerable....if ever. As it will encourage every wood works hacker to hack every single router. Even after all the issues have been fixed, the list won't be publicly published, because majority of router owners, don't update their routers firmware on regular basis. Thus Asus has to protect all the customers and the backlash they might get from same customers down the road.

Some one might leack the info to the web so the public is aware of the issues. But only time will tell.

If.you worried about being hacked, then keep all your home videos on external drive in a fire proof safe.
As an old saying goes: most problems are caused by the idiot behind the keyboard.

 

[RMerlin]

And you won't see what was vulnerable....if ever. As it will encourage every wood works hacker to hack every single router. Even after all the issues have been fixed, the list won't be publicly published, because majority of router owners, don't update their routers firmware on regular basis. Thus Asus has to protect all the customers and the backlash they might get from same customers down the road.

Some one might leack the info to the web so the public is aware of the issues. But only time will tell.

CVE gets publicly disclosed after a certain period of time, so yes, people will eventually know what was the issue, usually some time after the manufacturer has released a fix. Also since the firmware is open source, a diff of the source code will allow someone to track down any security changes. For instance, I can tell that a lot of potential buffer overruns were fixed by Asus in the past 6 months, based on numerous sprintf() calls being replaced with snprintf() (which are size-limited).