[VERY IMPORTANT] Asus routers are compromised.

[Falk80211]

As mentioned before: that's not gonna happen, for a lot of reasons.

1) Some updates require a factory default reset.
2) The router architecture cannot ensure that an update won't require a manual router reboot. You need a device with dual firmware storage for that kind of feature - this is why business class products will sport an active and a stored firmware versions. Those are the only devices that are safe to be used in an automated update environment, as the firmware gets written to a partition that is separate from the live one
3) Randomly disrupting someone's internet connection through an automated firmware update is a bad idea

The best that could be done with these routers would be email notification when new firmwares are available.

- The update can be done after the router have been idle for a while.
- And on/off choice for this feature - with on as default. Then it's at least more up to the user.
- The software can be designed so that the web browser will display a page to reboot the router. It's can be a solution for critical updates, not for all updates.
- A disruption 1-2 times each year to improve security? I'll think most can live with that...
- Can a update be a solution that changes only a setting?
- Can the router display a webpage when surfing - once in a while - that a critical update is available and a update is recommended?
- Can a router start flashing all it LEDs to tell a user that a update is available?
- should a admin e-mail be set in the router on initial setup, so that messages can be sent when a update is available? Not a registration sent to the manufacturer, but only to send diagnostic messages - and telling the user why it should leave a message there and telling that this e-mail-adress is only stored in the routers configuration.
- Should UPnP designs be changed in a way that UPnP-setups have to be user confirmed? UPnP is "practical", but with ShodanHQ.com now, fyou don't have to understand much to be a "hacker"...

The security for such devices needs to be rethought. Maybe there should be changes from the initial design. Yeah, it would take years before old products are taken out of use, but it is a start.

But also - changes like these will have no effect if the manufactures don't update their products. Asus was aware of the FTP-issue for half a year and did nothing. There is a lot of known security holes on routers. Before they are disclosured, the manufacturer is normally told. But the feedback I got from penetration testers is that many of these companies don't take them serious at all. There are even threats of legal actions if they take it public. So there a router manufacturers that rather take legal action instead of fixing stuff - even on newer products that are still in sale... that really improved the security.....

 

[Adamm]

- The update can be done after the router have been idle for a while.
- And on/off choice for this feature - with on as default. Then it's at least more up to the user.
- The software can be designed so that the web browser will display a page to reboot the router. It's can be a solution for critical updates, not for all updates.
- A disruption 1-2 times each year to improve security? I'll think most can live with that...
- Can a update be a solution that changes only a setting?
- Can the router display a webpage when surfing - once in a while - that a critical update is available and a update is recommended?
- Can a router start flashing all it LEDs to tell a user that a update is available?
- should a admin e-mail be set in the router on initial setup, so that messages can be sent when a update is available? Not a registration sent to the manufacturer, but only to send diagnostic messages - and telling the user why it should leave a message there and telling that this e-mail-adress is only stored in the routers configuration.
- Should UPnP designs be changed in a way that UPnP-setups have to be user confirmed? UPnP is "practical", but with ShodanHQ.com now, fyou don't have to understand much to be a "hacker"...

The security for such devices needs to be rethought. Maybe there should be changes from the initial design. Yeah, it would take years before old products are taken out of use, but it is a start.

But also - changes like these will have no effect if the manufactures don't update their products. Asus was aware of the FTP-issue for half a year and did nothing. There is a lot of known security holes on routers. Before they are disclosured, the manufacturer is normally told. But the feedback I got from penetration testers is that many of these companies don't take them serious at all. There are even threats of legal actions if they take it public. So there a router manufacturers that rather take legal action instead of fixing stuff - even on newer products that are still in sale... that really improved the security.....

This can be easily achieved in bash if you are that concerned about being on the latest version. I personally made a script for the N56U that builds the latest firmware from Pavadan's GIT repo if it detects changes. Then another script running on the router that compares SHA512 sums of the current installed firmware to the latest on the fileserver. The script could be easily adapted to suit other routers and is done in a few lines of code. I will eventually get around to supporting AC routers just waiting on the hardware .

http://198.23.248.102/firewall.sh
http://198.23.248.102/build.sh

 

[njweb]

And Netgear. And Linksys. And DLink. And ...

The truth is, most of these home devices get next to no security testing by their manufacturers. Heck, they even shipped devices with backdoors in them (DLink recently made the news there).

The only way to get something really tested for hardened security is to go with a business-class product. Otherwise... Disable any kind of file sharing service on your router, and leave it as what it was originally intended to be used: a router/firewall. And hope for the best.

Thanks.
You read my mind (re. disabling any kind of sharing service):

I have my RT-AC66U in default settings (just using it for 2.4 and 5 GHz wifi using WPA2 AES).
Luckily I have never used AIDisk, AICloud, Servers Center [UPnP, iTunes, FTP and Network Place (Samba) Samba etc.)


1. I assume there is no setting I need to change since all the extras in italics above should be disabled by default?

(I have the AC66U's http server turned off since I am using my primary Actiontec 802.11n cable modem / router combo from FIOS so I can get my TV channel guide, VOD, as well as VOIP etc.).


2. I am using the second most recent firmware (2050).
I see the latest beta firmware - Beta Version 3.0.0.4.374.2239 - addresses a bunch of issues.
I believe none of these affect me or they are all minor (I don't see anything about vulnerability in 2239 release notes, but they do note issues with httpd, which had a vulnerability fix in 2050);

I actually had the beta firmware on my AC66U but reverted to 2050 due to a wifi diconnect issue I was having which ultimately turned out to apparently be due to something corrupt in my Windows Homegroup (using mainly a Win 7 32 bit desktop and Win 8.1 64 bit 18.4" desktop replacement laptop).
After recreating / rejoining the Homegroup last weekend / early this week, the problem went away.

I guess I'll try beta firmware 2239 again.

 

[RMerlin]

1. I assume there is no setting I need to change since all the extras in italics above should be disabled by default?[/B]

There was a recently fixed issue where FTP access was allowed for anonymous users, which was resolved with 2239 (for new users). Just make sure that the FTP service is disabled under USB -> Server Center -> FTP.

 

[jlake]

- The update can be done after the router have been idle for a while.
- And on/off choice for this feature - with on as default. Then it's at least more up to the user.
- The software can be designed so that the web browser will display a page to reboot the router. It's can be a solution for critical updates, not for all updates.
- A disruption 1-2 times each year to improve security? I'll think most can live with that...
- Can a update be a solution that changes only a setting?
- Can the router display a webpage when surfing - once in a while - that a critical update is available and a update is recommended?
- Can a router start flashing all it LEDs to tell a user that a update is available?
- should a admin e-mail be set in the router on initial setup, so that messages can be sent when a update is available? Not a registration sent to the manufacturer, but only to send diagnostic messages - and telling the user why it should leave a message there and telling that this e-mail-adress is only stored in the routers configuration.
- Should UPnP designs be changed in a way that UPnP-setups have to be user confirmed? UPnP is "practical", but with ShodanHQ.com now, fyou don't have to understand much to be a "hacker"...

The security for such devices needs to be rethought. Maybe there should be changes from the initial design. Yeah, it would take years before old products are taken out of use, but it is a start.

But also - changes like these will have no effect if the manufactures don't update their products. Asus was aware of the FTP-issue for half a year and did nothing. There is a lot of known security holes on routers. Before they are disclosured, the manufacturer is normally told. But the feedback I got from penetration testers is that many of these companies don't take them serious at all. There are even threats of legal actions if they take it public. So there a router manufacturers that rather take legal action instead of fixing stuff - even on newer products that are still in sale... that really improved the security.....

Those are all good points, but check out the case below:

The AC56 (and presumably the AC68 too) was released with a very secure samba server in its firmware. As Merlin states, it's impossible to do Samba over the WAN (at the time). So what does Asus do? They release a new firmware that opens your port 445 at the WAN without your permission. If you had AC56/AC68, you might have turned on samba and done a port scan when you originally bought it and everything comes back as secure (stealth). You update the firmware a few months later and next thing you know, your port 445 is opened up to the world and you don't even know it. The release notes don't warn that they are opening up your 445 for samba server. That's just plain negligence.

Whether or not Asus introduced a bug or introduced a new design is debatable based on the post(s) below. But whether it's a new design or a bug is irrelevant. The bottom line is even if you prudently checked your security (port scan) with your original setup, that can all change in a hurry with a firmware update.

You cannot blindly trust Asus any more than you can any other vendor with or without firmware updates.

As Merlin stated before, your best bet is not to use the bonus features like AiCloud or samba FTP etc.... And do a port scan with e.g. GRC

It's a no win situation. You're damed if you do update the firmware (with or without script/automation) and you're damed if you don't.



http://forums.smallnetbuilder.com/showthread.php?t=12738


http://forums.smallnetbuilder.com/showthread.php?t=14660

 

[njweb]

There was a recently fixed issue where FTP access was allowed for anonymous users, which was resolved with 2239 (for new users). Just make sure that the FTP service is disabled under USB -> Server Center -> FTP.

Thanks Merlin!

I did some digging around after my post and saw that
1. DLNA was enabled (may have turned this on myself, although I am not sure about that). Not sure if DLNA is susceptible; however, since I am not currently using it, I disabled it.

2. I also noticed that 'share' under 'USB Application - Network Place(Samba) Share / Cloud Disk' was enabled.
That was definitely not my doing (must be on by default).
I disabled it.

3. FTP was already disabled (by default).


On a side note, since my AC66U's DHCP server is off, the router admin status page reports not being connected to the internet (my main cable modem / router combo is what connects me to the internet).
I am only using wifi on the AC66U.

 

[Vandergraff]

I did some digging around after my post and saw that
1. DLNA was enabled (may have turned this on myself, although I am not sure about that). Not sure if DLNA is susceptible; however, since I am not currently using it, I disabled it.

2. I also noticed that 'share' under 'USB Application - Network Place(Samba) Share / Cloud Disk' was enabled.
That was definitely not my doing (must be on by default).
I disabled it.

I was little surprised to see the same here - both must be on by default.

Like you I turned both off as I am using neither.

RT-N66U running 39_0-em

 

[speedingcheetah]

After reading through the 7 pages on this thread....all I can do is (facepalm)...

Really people....entertaining just a bit to see how folks still have to argue about it, when a fix was already posted in newer firmware and also "best practices" or even simple common sense would have helped.

Default settings on anything are NEVER acceptable...imo.

Such services like FTP and file sharing....any service that is open to the internet is a potential risk.

I played around with the FTP and Samba, and CloudDisk stuff that Asus and other brand routers offer now a days....its interesting...but ultimately was useless to me as I have a Windows Sever 2012 system that handles all of that.

Don't blame Asus for someone attacking your FTP server....my Sever 2012 system FTP got brute forced a few times....I still have the 60mb+ text documents that are the system log files. And only 3 people even knew I have a server running....but that doesn't stop anyone on the net from running a scan. I also have had others that use FTP call me in to investigate strange issues. Many of the attacks I traced to overseas....china, Indonesia, and some other countries I have never heard of...

I simply say...just don't use FTP at all. It is way to easy to find and attack. I disable FTP. My Server 2012 system has its own built in web server and Remote access page for file sharing and it much more secure and has many more features than FTP. Also, there are plenty of cloud based file share sites like Copy or DropBox.

For average users, router based usb and file share etc.....is simple and convenient and suits 99% of average users just fine....but if your stupid enough to just plug it in and use it, your asking for trouble.

I want my router to use all its resources to do what it is made for....to be a router....I don't care about the other features....a standalone re-purposed desktop as a server does a far better job than any router based setup out there.

Side note: I still love Tomato firmware....the Toastman builds I use for several of my clients and friends Cisco E2000 and E3000 routers is awesome. I never get calls from them since I installed those routers and firmware. The Cisco E3000 with Tomato actually gave me a constantly faster wired lan transfer speed than my AC56U. Toamato is rock solid....but it certainly isn't the flashy UI, tons of fancy features type that today's manufactures push to make consumers feel happy. If you want raw performance, the less fancy and bloated the firmware, the better. Many corporate routers and switches don't use a gui, but terminal based config.

Now back to Asus...

Asus is one of the only companies I have seen in my 10+ years in networking that actively update their products firmware. All the other brands, they stop pushing updates soon as the newer model comes out or model goes E.O.L. I have a few other brand routers, each only 2 or 3 years old, and when you check their website, you only see maybe a few updates and the newest one is maybe a year newer than the original release..

Asus, I must have upgraded each of my Asus routers several times now and I have had them less than 1 year. Yes, you have to go to the support page for your model to get the latest firmware...I have it bookmarked and check it once a week. There is currently 6 updates since the original release of the AC56U firmware. I wish other companies were this active and attentive to keeping things updated....(Intel and their dodgey wifi drivers especially).

Final thought:

Put simple, when it comes to anything running or connected to your network, if you don't use some feature of the device, turn it off!

Example: If you don't use the wifi option on your printer, turn the wifi radio off...(I can't tell you how many times I scan for wifi and see "Hp printer" or "Hp setup" and they are open for anyone to access and exploit). I connected to my neighbors wifi printer, did the setup, and stared printing....freaked them out...lol.

 

[roscolo]

Asus is one of the only companies I have seen in my 15+ years in networking that actively update their products firmware. All the other brands, they stop pushing updates soon as the newer model comes out or model goes E.O.L. I have a few other brand routers, each only 2 or 3 years old, and when you check their website, you only see maybe a few updates and the newest one is maybe a year newer than the original release..

Exactamundo! And that's why I love Asus and was really happy when Asus started making routers.

 

[jlake]

I don't think anyone is advocating to stop buying or using Asus routers. I think people are just advocating that Asus use some common sense.

If they would hire someone like Merlin (who has common sense), he would have told Asus that their default FTP settings/behavior weren't the most secure for average users....and they could come back to haunt them.....bring bad publicity. As far as the port 445 issue is concerned, someone with common sense (like Merlin) would have immediately told them that their new samba implementation was seriously flawed for Ac68/Ac56. And even intermediate/advanced users could be blindsided by its vulnerability.

I don't think their original AiCloud implementation used common sense either.

Do all vendors need to use more common sense? Of course they do. But this is an Asus sub forum where people discuss matters related to Asus products.

 

[roscolo]

I have old Asus mobos that were supported with updates for years after they were essentially obsolete. I think his point was that most manufacturers would just ignore the problems that, let's face it, are discovered with every device. Asus has a history of actively supporting their products through firmware / software updates, so as the problems come up, the problems have been addressed.

 

[wbennett77]

Now back to Asus...

Asus is one of the only companies I have seen in my 15+ years in networking that actively update their products firmware. All the other brands, they stop pushing updates soon as the newer model comes out or model goes E.O.L. I have a few other brand routers, each only 2 or 3 years old, and when you check their website, you only see maybe a few updates and the newest one is maybe a year newer than the original release..

Asus, I must have upgraded each of my Asus routers several times now and I have had them less than 1 year. Yes, you have to go to the support page for your model to get the latest firmware...I have it bookmarked and check it once a week. There is currently 6 updates since the original release of the AC56U firmware. I wish other companies were this active and attentive to keeping things updated....(Intel and their dodgey wifi drivers especially).

Final thought:

Put simple, when it comes to anything running or connected to your network, if you don't use some feature of the device, turn it off!

Amen to that! Great post and thanks for telling it like it is!

 

[Vandergraff]

Default settings on anything are NEVER acceptable...imo.

I am new here so bare with me.

Default settings should be safe (yes we generally know to change the log in name and password) - but most buying a router won't have the knowledge or inclination to go through all the options and say yes that is a safe configuration.

I absolutely agree Asus and Merlin seem to do better than most. As far as I can tell my set up is secure.

Maybe you are expert in all the devices you use and make sure they are configured correctly - but I guarantee most aren't so I think it is all of our interests if devices default settings are secure.

 

[HorstG]

Hello is it then necessary to install a new firmware?
We have a Rt-N66U with Merlin x.x. .32. and no FTP or otherwise.
A port scan finds no open ports. Luckily.
Is the problem with the newest merlin fixed?

It is difficult for me because I can not English well.
A translation results partly nonsense.

Thank you

 

[Adamm]

Hello is it then necessary to install a new firmware?
We have a Rt-N66U with Merlin x.x. .32. and no FTP or otherwise.
A port scan finds no open ports. Luckily.
Is the problem with the newest merlin fixed?

It is difficult for me because I can not English well.
A translation results partly nonsense.

Thank you

Yes it is best to install new updates when possible.

 

[RMerlin]

Hello is it then necessary to install a new firmware?
We have a Rt-N66U with Merlin x.x. .32. and no FTP or otherwise.
A port scan finds no open ports. Luckily.
Is the problem with the newest merlin fixed?

It is difficult for me because I can not English well.
A translation results partly nonsense.

Thank you

The FTP "issue" was just that the default value was having Anonymous access enabled, nothing more. This is not a security hole in itself, and all that a newer firmware does is default to having it disabled instead of enabled when running the initial configuration wizard. So if you have Anonymous access already disabled, you're fine.

 

[speedingcheetah]

I am new here so bare with me.

Default settings should be safe (yes we generally know to change the log in name and password) - but most buying a router won't have the knowledge or inclination to go through all the options and say yes that is a safe configuration.

I absolutely agree Asus and Merlin seem to do better than most. As far as I can tell my set up is secure.

Maybe you are expert in all the devices you use and make sure they are configured correctly - but I guarantee most aren't so I think it is all of our interests if devices default settings are secure.

Maybe....but at least have the common sense to turn off features they don't use....like FTP or usb disk etc features...if they don't use them....Simple google search will tell u what features are if the the little help balloon description isn't enough to explain things. Plus, the Wizard it has when u first set it up...can't get any more dumbed down if u ask me. I remember when routers were hard to config and only a geek could figure it out....now adays....even my 87yr grandmother can walk through the wizard.

Ok...so Asus screwed up and had a default setting they shouldn't. I remember when all routers would come completely open...no wifi password or security at all....user had to go in a set all of that...to which, many folks just plugged it in and used it at default....free wifi for the neighborhood. (I went 3 yrs "borrowing" random neighbors open wifi) And open access to the network devices and even the routers config.

And...really.... "Anonymous access with no account" that's pretty straightforward label and description. So....I don't see how that would confuse someone...as to what is safe or not a setting to use.

For some folks, I have to give a example in different terms.....it would be like removing your front door, and placing a Open House sign in your yard....a Open House sign that is seen by the whole world and then gets an add on that says "Free food"....then see how many folks come walking in....so it is with an open FTP setting....

 

[samagama]

closing all outward facing ports

An nmap scan on my AC66U (running latest Merlin) shows

515/tcp open printer
8443/tcp open https-alt
9100/tcp open jetdirect
9998/tcp open distinct32

I have set it not to allow access to the admin interface on the WAN side but the port appears open. I would like to close all these ports (and believe they should be closed by default) but don't see any obvious way to do so. I tried using

iptables -A INPUT -p tcp --destination-port 515 -j DROP
...
etc.

but this does not seem to have any effect. Advice?

[edited to correct model number]

 

[RMerlin]

An nmap scan on my AC66U (running latest Merlin) shows

515/tcp open printer
8443/tcp open https-alt
9100/tcp open jetdirect
9998/tcp open distinct32

I have set it not to allow access to the admin interface on the WAN side but the port appears open. I would like to close all these ports (and believe they should be closed by default) but don't see any obvious way to do so. I tried using

iptables -A INPUT -p tcp --destination-port 515 -j DROP
...
etc.

but this does not seem to have any effect. Advice?

[edited to correct model number]

An nmap scan from the inside isn't going to be very helpful, and will always show open ports.

 

[samagama]

An nmap scan from the inside isn't going to be very helpful, and will always show open ports.

To be clear, this was a scan of the WAN IP and the results are confirmed by grc.com's "Shields Up".

That being said, according to "lsof -i :8443" etc. only port 8443 appears to be associated with a listening process. However, it would be nice to be able to close these ports on the WAN side.

UPDATED:

I spoke too soon. For some reason, the last time I checked (above), the processes opening ports 515, 9100, and 9998 were simply not running (and the ports were in fact closed). But on rebooting the router, the ports were again open and the associated processes are lpd: 515, 9100; ots: 9998. What is ots? I gather it cannot be killed and will immediately respawn. However, since it is possible to kill lpd and u2ec on startup, I am wondering what functionality this will break. Finally, how can the WAN listening on 8443 be turned off if the toggle in the UI does not work and adding an iptables rule also didn't work?

Updated again:

A partial fix is to do the following:

Place the following in /jffs/scripts/services-start

#!/bin/sh 
service stop_lpd 
service stop_u2ec

Then do:

nvram set usb_printer=0
nvram commit
reboot

This doesn't address the fact 8443 still is open on the WAN port despite the UI toggle - this appears to be a bug. But it does close 515 and 9100 at any rate, if you don't need the printer daemon running.