[VERY IMPORTANT] Asus routers are compromised.

[thelonelycoder]

And much more...
You can create privacy: make an appointment on the wide open beach and discuss your business there

Are you sure of that?. Remember we all carry highly sophisticated mobile devices with us all the time. Some claim they can remotely activate the microphone. And above us are Satellites with very high definition cameras and who knows maybe even unidirectional microphones.

I am not too worried, Google knows us better than we do and the agency - well I'll leave it at that.

I extremely like what we can do with our simple routers. My Asus RT-AC66U brings much joy with the help of you guys, expecially RMerlin.

 

[SnakeByte]

FTP was enabled in the "No account required" mode.. effective opening your router to the world!

Always use safe password/account combo's when connecting a device to the internet!

Default open FTP is madness.

Just to be clear, FTP comes enabled without authentication by default. /That/ is what is madness.

 

[wouterv]

The problem also is that people want...try...beg...force the world for all kind of "weird" features. Read those forums, read the many questions and read between the lines the knowledge level of the one who is asking.
A simple straight forward robust router (nothing more) cost half or a third of the Asus devices...but "we" tend to compare the number of features and go for more features for a lower price.
I agree with Merlin: make a robust, ugly, router with an excellent range and with a minimal GUI. This will work for 99% of the avarage households

 

[Vandergraff]

Just to be clear, FTP comes enabled without authentication by default. /That/ is what is madness.

Are you saying our routers with default settings are vulnerable?

 

[krum]

wow, I feel like it's a roll the dice with firmware on the RT-ac66u, I feel like I am playing Russian Roulette,
just my .02 worth.

Chris

 

[L&LD]

I feel that this issue is overblown, to be honest.

Basic practices should be followed: if you don't know about something; do your research or hire a professional you trust to either inform you fully, or setup the device or service that you think you need.

In one way, I am impressed with whoever is on the net putting this text file into improperly setup routers (but I'd be worried that they are only putting this text file in other's system).


An analogy would be complaints against Mustang GT's or Camaro's (Porsche, Ferrari and Lambo's also apply here) that have too much power for the average driver.

Complaining and asking to be governed by an manufacturing entity like Asus, Netgear, etc. is not the solution. Learning and education are.

 

[jlake]

I feel that this issue is overblown, to be honest.

Basic practices should be followed: if you don't know about something; do your research or hire a professional you trust to either inform you fully, or setup the device or service that you think you need.

In one way, I am impressed with whoever is on the net putting this text file into improperly setup routers (but I'd be worried that they are only putting this text file in other's system).


An analogy would be complaints against Mustang GT's or Camaro's (Porsche, Ferrari and Lambo's also apply here) that have too much power for the average driver.

Complaining and asking to be governed by an manufacturing entity like Asus, Netgear, etc. is not the solution. Learning and education are.

Nothing is being overblown. You probably think it's being overblown because you are extremely loyal to Asus as evidenced by many of your past posts.

 

[L&LD]

Nothing is being overblown. You probably think it's being overblown because you are extremely loyal to Asus as evidenced by many of your past posts.

No, not loyal to Asus or any other manufacturer if you read my post fully.

Besides, I have only owned Asus routers for less than a year.

I am loyal to products that perform as they should, and it doesn't seem like these are misbehaving. The issue, as it is 99% of the time; is the user.

Learn to use the device. Simple. If you don't understand it fully - the solution is not to be asking to be handheld to the nth degree. We are adults here, right?

 

[jlake]

No, not loyal to Asus or any other manufacturer if you read my post fully.

Besides, I have only owned Asus routers for less than a year.

I am loyal to products that perform as they should, and it doesn't seem like these are misbehaving. The issue, as it is 99% of the time; is the user.

Learn to use the device. Simple. If you don't understand it fully - the solution is not to be asking to be handheld to the nth degree. We are adults here, right?

You have no idea what you're talking about because you don't understand the issues. You're just babbling trying to defend Asus. Impossible to have a rational conversation with you due to your intense loyalty to Asus and lack of understanding.

 

[laracroftonline]

How can we delete this file?

 

[L&LD]

You have no idea what you're talking about because you don't understand the issues. You're just babbling trying to defend Asus. Impossible to have a rational conversation with you due to your intense loyalty to Asus and lack of understanding.

You are not providing anything resembling a coherent conversation.

Why do you bother responding other than to belittle me?

If you can't provide any valid counterpoints to my statements, then please don't respond at all.

 

[dancemonkey]

Ok, so long as I configure the router correctly (do not leave anonymous ftp on) nothing to worry about.

 

[L&LD]

Ok, so long as I configure the router correctly (do not leave anonymous ftp on) nothing to worry about.

Yes, that would be my take on this so hard to understand issue.

 

[jim769]

Ok, so long as I configure the router correctly (do not leave anonymous ftp on) nothing to worry about.

Were does one turn off anonymous FTP. The only FTP i found in the N66 was already disabled by default. Or am i missing something again? I did disable JFFS that was enabled by default. 39_0-em. I only use my router to route and never use USB,VPN,JFFS,Acloud,Samba,Ect.... I do use IPv6 and that is buggy on this version at least with comcast.

 

[Vandergraff]

Were does one turn off anonymous FTP. The only FTP i found in the N66 was already disabled by default. Or am i missing something again? I did disable JFFS that was enabled by default. 39_0-em. I only use my router to route and never use USB,VPN,JFFS,Acloud,Samba,Ect.... I do use IPv6 and that is buggy on this version at least with comcast.

Which is why I asked earlier today in this thread 'Are you saying our routers with default settings are vulnerable?' I think the answer is no - but waiting for someone to confirm.

39_0-em works fine for IPv6 on Comcast for me.

 

[L&LD]

Which is why I asked earlier today in this thread 'Are you saying our routers with default settings are vulnerable?' I think the answer is no - but waiting for someone to confirm.

39_0-em works fine for IPv6 on Comcast for me.

To give you a partial answer: if no extra features are used (such as a USB drive, for example) then the defaults should be secure enough.

 

[RMerlin]

I think the reason why L&LD says this thread is getting overblown is that, if one reads the original post, it's written there that FTP was configured with no account being required for access. That means he had Anonymous access enabled.

This is overblown for the following reason:

1) The only issue there is that Asuswrt had an insecure default setting (FTP enabled by default)

2) This can be resolved by anyone simply by disabling or reconfiguring their FTP access

3) The matter of the default FTP setting being too permissive has already been fixed by Asus in a recent firmware update released a few weeks ago.

No need to get into a 4+ pages debate and having people launching personal attacks against one another over this. The bottom line is, Asus left a default setting to an unsafe value, and they have already addressed the issue.

 

[jlake]

I think the reason why L&LD says this thread is getting overblown is that, if one reads the original post, it's written there that FTP was configured with no account being required for access. That means he had Anonymous access enabled.

This is overblown for the following reason:

1) The only issue there is that Asuswrt had an insecure default setting (FTP enabled by default)

2) This can be resolved by anyone simply by disabling or reconfiguring their FTP access

3) The matter of the default FTP setting being too permissive has already been fixed by Asus in a recent firmware update released a few weeks ago.

No need to get into a 4+ pages debate and having people launching personal attacks against one another over this. The bottom line is, Asus left a default setting to an unsafe value, and they have already addressed the issue.

This is not overblown for the following reason.

1. It's a pattern of behavior from Asus which includes the AiCloud vulnerability, the unfathomable/unprecedented port 445 vulnerability, the FTP vulnerability and the port 80 vulnerability, and there is no auto firmware update, and average "consumers" and small offices are buying and using these routers.

For anyone reading this, they are not even mentioning the port 445 vulnerability or port 80 vulnerability, so whether or not certain posters on this forum are biased is up to you decide.

http://www.cvedetails.com/vulnerability-list/vendor_id-3447/Asus.html

Here's a post from a non-noob Linux/Asus user that had no idea his port 445 was open on the WAN. It's not like "noobs" are the only ones being blindsided by these mind blowing vulnerabilities. Why didn't anyone of his fellow forum members responding to his post even bother to tell him his that his port 445 might be open?

http://forums.smallnetbuilder.com/showthread.php?p=101458#post101458

 

[RMerlin]

For anyone reading this, they are not even mentioning the port 445 vulnerability or port 80 vulnerability, so whether or not certain posters on this forum are biased is up to you decide.

http://www.cvedetails.com/vulnerability-list/vendor_id-3447/Asus.html

Have you looked at the other manufacturers, out of curiosity?

http://www.cvedetails.com/vulnerability-list/vendor_id-834/Netgear.html
http://www.cvedetails.com/vulnerability-list/vendor_id-9740/Dlink.html

Point being, this is not something exclusive to Asus. As I said previously, security seems to be very secondary for all those home gateway manufacturers. This is something they will ALL have to address at some point. Allowing port 445 to remain accessible over WAN is no more acceptable (or unacceptable) as backdoors left in the code by DLink.

Singleing out Asus here is missing the point. Router manufacturers need to stop treating these home gateways as home gadgets, and start treating them more like security appliances, which is what they primarily are. ALL of them.

 

[legitsu]

This is not overblown for the following reason.

1. It's a pattern of behavior from Asus which includes the AiCloud vulnerability, the unfathomable/unprecedented port 445 vulnerability, the FTP vulnerability and the port 80 vulnerability, and there is no auto firmware update, and average "consumers" and small offices are buying and using these routers.

For anyone reading this, they are not even mentioning the port 445 vulnerability or port 80 vulnerability, so whether or not certain posters on this forum are biased is up to you decide.

http://www.cvedetails.com/vulnerability-list/vendor_id-3447/Asus.html

Here's a post from a non-noob Linux/Asus user that had no idea his port 445 was open on the WAN. It's not like "noobs" are the only ones being blindsided by these mind blowing vulnerabilities. Why didn't anyone of his fellow forum members responding to his post even bother to tell him his that his port 445 might be open?

http://forums.smallnetbuilder.com/showthread.php?p=101458#post101458

automatic firmware updates on consumer routers would be a insanely bad idea
and I agree the stock-Asus firmware is complete ANUS and anybody that buys this level of router should not be running stock firmware anyway