×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Dear Asus Router User: All Your Cloud Are Belong To Us

Unknown Lamer posted about 2 months ago | from the stock-firmware-considered-harmful dept.

Bug 148

New submitter Trax3001BBS writes "Ars is running an article about a vulnerability of Asus routers that are becoming very popular at the moment for connecting USB devices to the Internet. From the article: 'An Ars reader by the name of Jerry got a nasty surprise as he was browsing the contents of his external hard drive over the weekend — a mysterious text file warning him that he had been hacked thanks to a critical vulnerability in the Asus router he used ... The guerilla-style hacking disclosure comes eight months after a security researcher publicly disclosed the underlying vulnerability that exposed the hard drives of ... Asus router users. ... According to Lovett, the weakness affects a variety of Asus router models, including the RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, and RT-N16R. Asus reportedly patched the vulnerabilities late last week...' And this old news, come new again: The Asuswrt Merlin ROM took care of this vulnerability months ago (defect #17)."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

148 comments

Open Source is better. (4, Insightful)

Anonymous Coward | about 2 months ago | (#46273535)

Just install DD WRT and have done with it.

Re:Open Source is better. (2)

cheater512 (783349) | about a month ago | (#46273563)

Yep DD-WRT is on my RT-AC66U. Works brilliantly.

Re:Open Source is better. (5, Informative)

AlphaWolf_HK (692722) | about a month ago | (#46274211)

I've got an RT-AC66U myself and honestly I like tomato (shibby version) a hell of a lot better for it. Multiple reasons, but the biggest include:

The interface in DD-WRT is clunky; by that I mean they use a worse than MS Windows* style of individual fields for IP address octets so that you have to tab between fields instead of naturally typing it out in the dot notation like you do everywhere else; and if you change one setting that uses a refresh object it *very annoyingly* undoes any unsaved settings you may have made on that page. *(MS Windows is actually slightly better here because if you type in the dots it automatically moves to the next field, whereas DD-WRT does not, requiring you to tab instead, and if you make an error in a previous field you have to shift-tab and arrow to your mistake instead of simply hitting backspace.)

Tomato has really nifty links for doing things quickly. A beautiful example is like giving a MAC address a sticky dynamic IP address just requires a click, typing the IP address and desired hostname (for local DNS resolution if you desire) and then clicking save. With DD-WRT you have to go through numerous steps just to type in the MAC address.

DD-WRT's QoS functions, and its network monitoring and analysis functions are downright awful compared to tomato. Just straight up awful.

DD-WRT deliberately cripples certain features unless you pay for them (such as its QoS features, which even the paid version is worse than what Tomato offers for free.)

(Kind of hypocritical too because DD-WRT was originally built by a group that was tired of the Sveasoft guy hoarding his changes to the GPLed code to only those who paid him, but I don't count that against them because I'm more of a "I use what works" kind of guy.)

Then again I'm a hobbyist when it comes to networks, so I might have more stringent demands than anybody else.

Re:Open Source is better. (1)

TyFoN (12980) | about a month ago | (#46274339)

Got to agree here, my N66U is flying with shibbys tomato.

I can't really figure out why one would want to put hard drives on the edge device, but still the custom firmware is best.

And the hardware of these devices are excellent :)

Re:Open Source is better. (1)

omnichad (1198475) | about a month ago | (#46275163)

You might put a thumb drive in there to hold log files. I do this to track my bandwidth usage. Well no- I use the CIFS support in Tomato for that.

Re:Open Source is better. (1)

AmiMoJo (196126) | about a month ago | (#46274573)

I prefer Tomato too but what drove my to DD-WRT is a lack of hardware support. If you want a reasonably priced, reasonably fast router with 802.11ac support you can't run Tomato, which is a real shame.

Fortunately QoS is irrelevant once your internet connection is fast enough (I'd say 100/100 or better), but unfortunately most people don't have that.

Re:Open Source is better. (2)

wisnoskij (1206448) | about a month ago | (#46274825)

I installed Tomato once, went back to DD-WRT less than an hour latter.
Tomato does some cool stuff, but its complete lack of pretty much every feature that DD-WRT has was a deal breaker.

Re:Open Source is better. (0)

Anonymous Coward | about a month ago | (#46275559)

I installed Tomato once, went back to DD-WRT less than an hour latter.
Tomato does some cool stuff, but its complete lack of pretty much every feature that DD-WRT has was a deal breaker.

I'm curious if you're comparing Shibby's Tomato or PolarCloud's original Tomato. If it's Shibby's what features are you missing?

Re:Open Source is better. (0)

Anonymous Coward | about a month ago | (#46273911)

Asuswrt is OSS

Re:Open Source is better. (1)

wonkey_monkey (2592601) | about a month ago | (#46273997)

No, not quite "have done with it." Keep it up to date as vulnerabilities are found and fixed, just like everything else.

Re:Open Source is better. (0)

Anonymous Coward | about a month ago | (#46274131)

I installed DD WRT on a D-link machine, hoping to get advanced range extending features beyond what D-link was offering... Unfortunately, DD WRT (atleast the only version available for this particular product) was so buggy, that I don't want to work with it.

Applying changes works 50% of the time.... the other 50% I get errors loading page etc...

And on top of that, I never actually got the range extending feature to work (it did on the D-link firmware).

Not saying DD WRT is bad, it just didn't work in this case, which shows, you shouldn't blindly recomend it to everyone.

Re:Open Source is better. (0)

Anonymous Coward | about a month ago | (#46274147)

I installed DD WRT on a D-link machine, hoping to get advanced range extending features beyond what D-link was offering... Unfortunately, DD WRT (atleast the only version available for this particular product) was so buggy, that I don't want to work with it.

Applying changes works 50% of the time.... the other 50% I get errors loading page etc...

Aahh... that sounds like typical "open source quality"... good software, but the proper quality assurance is missing. :(

Re:Open Source is better. (0)

Anonymous Coward | about a month ago | (#46274217)

Aahh... that sounds like typical "open source quality"... good software, but the proper quality assurance is missing. :(

Open Source Quality is the same than comercial software.

I have many problem with comercial software. Including one special case, the Cisco SPA122 ATA comes with a factory firmware that was useless. It has so many bugs that the first thing i have to do was update it. But the SPA 122 is one of the many cases of Cisco destroing Linksys software.

Re:Open Source is better. (1)

Gaygirlie (1657131) | about a month ago | (#46274349)

I have the opposite experience. I've got a Buffalo WBMR-HP-G300H that shipped with a horribly, horribly broken firmware that never worked right in the first place, was unstable as fuck and, worst of all, its web-based management system only worked with Internet Explorer. Installing DD-WRT on it was the best decision I could've made; the thing is stable as a rock, fast, it provides heaps and bounds more features and functionality than the original firmware and it allows for fancy things like e.g. running a Mumble-server on the router itself, completely negating the need for a separate machine for that.

It sucks that your experience was lackluster, though :/ Have you checked if there's been newer releases of DD-WRT for your D-Link?

Re:Open Source is better. (1)

jones_supa (887896) | about a month ago | (#46274387)

It sucks that your experience was lackluster, though :/ Have you checked if there's been newer releases of DD-WRT for your D-Link?

And if the problem persists, submitting a detailed bug report might be a good idea too.

Re:Open Source is better. (1)

tompaulco (629533) | about a month ago | (#46275909)

its web-based management system only worked with Internet Explorer.

Hmm, I may be mistaken, but it seems like the DD-WRT interface wanted me to use IE as well, at least for flashing.

Which D-Link model? (1)

SIGBUS (8236) | about a month ago | (#46274877)

I have a couple of D-Link DIR825-C1 units on my network, both with DD-WRT, one in client bridge mode and the other as my router. Both have been rock solid, and a worthy upgrade from my classic WRT54G boxes.

Re:Open Source is better. (1)

jones_supa (887896) | about a month ago | (#46274157)

Just install DD WRT and have done with it.

+1 for this. Most of the cases DD-WRT is more secure and stable than the manufacturer-provided firmware.

But still, these kind of community-built firmwares should not be required to have a good experience. As paying customers, we should demand high-quality firmware and consistent security updates directly from the manufacturer.

Re:Open Source is better. (1)

dimeglio (456244) | about a month ago | (#46274381)

I used DD-WRT on my Linksys router and it was great. However, the ASUS RT-N16 stock firmware does everything I need out of the box. It's very stable and didn't have to reboot it so I'm not going to bother changing it. It would be nice to have info from ASUS on a fix.

Re:Open Source is better. (1)

jiriw (444695) | about a month ago | (#46274507)

My experience is, in general, Asus makes decent featurefull router firmwares. However, I like tinkering and moar ;) options so my RT-AC68U soon got DD-WRT on it and some custom scripts. Multiple WLan segments with their own SSID so I have a public and private channel, multiple VLAN segments, one for DMZ, one for local lan, one for 'experiments'. Everything with a proper IPTables script which runs at boot... Custom DNS lookup table. It's just fun to hack router.

A clunky interface doesn't matter to me, as long as it has the options I need. At the time I flashed my router I couldn't find a Tomato firmware for it, else I sure would have given it a spin...

What I do miss with the RT-AC68U is '3rd party' binaries support. It's a shame Optware, or something similar, doesn't work yet on the AC-68U. I did try something with a crosscompiler but I have not yet had good results. I'd really want to run bind and postfix on it... amongst other things.

Re:Open Source is better. (1)

omnichad (1198475) | about a month ago | (#46275193)

If you like the Asus RT-N16, I don't recommend DD-WRT anyway. I have the same model and love how stable Tomato (Shibby build) is. The UI is very clean compared to DD-WRT, so you're not losing convenience for functionality. I also think the router is actually a bit faster on Tomato vs. stock. Then again - if you don't use the USB ports, you're not at risk anyway.

Re:Open Source is better. (1)

tompaulco (629533) | about a month ago | (#46275999)

I switched to DD-WRT because I needed some logging information so I could tell which MAC addresses were using the most bandwidth. I got a notice from Cox that I had used more bandwidth than my plan allowed (although a bandwidth allowance was not discussed when I signed up), but I was not able to tell which computer was using all the bandwidth using the built in firmware.
It turns out that it was the minecraft client that my daughter was playing. Apparently, minecraft client uses more bandwidth than streaming movies.

Re:Open Source is better. (1)

Algan (20532) | about a month ago | (#46274553)

Actually Asus' firmware IS open source. GPL even. You can download the sources and play with them and improve them. Which is exactly what Merlin does.

Re:Open Source is better. (1)

omnichad (1198475) | about a month ago | (#46275149)

I'm not sure why anyone would use the stock firmware. I use the RT-N16 with Tomato. It's the best router I've ever had. I hardly care that it doesn't have the 5GHz band, which would only reach the one room that doesn't have any wireless devices anyway.

Best way to let someone know something's amiss (2)

cosmin_c (3381765) | about 2 months ago | (#46273549)

Is a text file. The average computer user will not go and dig through log files, nor they will go around on the internet reading everything about each vulnerability that is exposed everyday. Years ago I copy pasted a similar text file to computers on a neighbourhood network, letting them know those specific folders were exposed on the local network and also been given r/w permissions. I was (and somehow still am) a humble user, passionate about tech, but I can always appreciate the heads-up. Just did what I think I'd like done if I were to accidentally share something on the local network, since although it might not be sensitive at first, mistakes are made regularly.

Re:Best way to let someone know something's amiss (2)

TWX (665546) | about a month ago | (#46273569)

I thought that the best way was to put dozens of iterations of something in the run folder of their start menu. Like that "screen mate" program that launched iterations of rams that walked around on top of the windows and "munched" on GUI items, or Tiny Elvis, which would walk around on the taskbar and comment on how huuuge things were...

Re:Best way to let someone know something's amiss (4, Interesting)

Penguinisto (415985) | about a month ago | (#46273625)

Do be careful about that...

I did that once, years ago, on a hotel WiFi network while traveling - I found a wide-open shared directory (I was bored, so I sniffed around, and...) The folder had a lot of rather sensitive-looking stuff laying about in it, judging by the filenames. I left a small anonymous text file asking the owner to secure the laptop in the future, and wrote out step-by-step how to do it. The next morning, I was walking by the front lobby desk when I heard a hysterical woman demanding that the staff call the cops because she'd been "hacked".

First, last, and only time I'll ever be a good samaritan. :(

Re:Best way to let someone know something's amiss (0)

Joe_Dragon (2206452) | about a month ago | (#46273837)

Way open I was able to print to the office center printers from my room at one place (it was just an small area near the front desk) I only needed to print a few pages. But some could of really printed off pages and pages of stuff. Also lot's of other guests systems showing up as well.

Re:Best way to let someone know something's amiss (0)

Anonymous Coward | about a month ago | (#46274423)

Try sometimes calmly reading back your own message before sending it.

Re:Best way to let someone know something's amiss (0)

Anonymous Coward | about a month ago | (#46274895)

Way open

No idea what this means

I was able to print to the office center printers from my room at one place (it was just an small area near the front desk). I only needed to print a few pages. But someone could have really printed off pages and pages of stuff. Also lots of other guests' systems were showing up as well.

FTFY

Re:Best way to let someone know something's amiss (2)

jones_supa (887896) | about a month ago | (#46274401)

I left a small anonymous text file asking the owner to secure the laptop in the future, and wrote out step-by-step how to do it.

That wasn't very elegant way to handle that. Snooping into other people's files and telling them what to do is not cool, no matter if the objects are password-protected or not. I guess that's why the woman freaked.

And if I were to get a little text file like that, how would I know that you didn't actually tamper something else in the process.

I know you were just trying to help, but still...

Re:Best way to let someone know something's amiss (1)

liquidrocket (3439123) | about a month ago | (#46274829)

And if I were to get a little text file like that, how would I know that you didn't actually tamper something else in the process.

You cannot know whether anyone tampered with your files regardless of whether the text file was put there. That's the whole point of letting you know about the problem: anyone can do whatever they want with your files and hopefully after you see the file you will take steps to fix that.

Re:Best way to let someone know something's amiss (0)

Anonymous Coward | about a month ago | (#46275019)

It's like saying with a note to your new neighbor that he forgot his front door open in the morning and you closed it for him. It would be fine if the neighbors knew each other but questionable between strangers. Both cases need some kind of community arrangement or a standard to fix the open door situation without unnecessary concerns.

Re:Best way to let someone know something's amiss (4, Insightful)

Somebody Is Using My (985418) | about a month ago | (#46273651)

Which works until you use this method to "advise" the wrong person, who contacts the cops and you end up arrested for computer trespassing. Too often we hear stories about people intending to do good are blamed for the message they bring.

Unfortunately, there doesn't seem to be any "right" way to bring these problems to the attention of the user or the developer since the laws all seem to be unfairly balanced against the whistleblower. There is an automatic assumption that anyone providing the information could only have come upon the data because they were intending to do something malicious.

Having said that, there are many the times I've been tempted to rename the SSIDs of wireless networks that still use WEP in some vain attempt to knock some sense into the user's head. Never gave into that impulse, but boy, sometimes it was quite a struggle.

Re:Best way to let someone know something's amiss (-1)

Anonymous Coward | about a month ago | (#46274247)

If you are going to hack* and leave warnings make sure you are smart and diligent enough to be untraceable. For example, if I where to look for unsecured computers on wifi, I would use boot CD and a random MAC address. Also, don't login on to any website while hacking...

*Yes for the computer dumb hacking can be as simple as opening and writing to an unsecured windows share on a public wifi network. :(

Re:Best way to let someone know something's amiss (3, Insightful)

FireFury03 (653718) | about a month ago | (#46274511)

Having said that, there are many the times I've been tempted to rename the SSIDs of wireless networks that still use WEP in some vain attempt to knock some sense into the user's head. Never gave into that impulse, but boy, sometimes it was quite a struggle.

There are legitimate reasons for using WEP.

I still use WEP on my home network, because I still have a few devices that simply won't reliably do anything better. I figure that this is largely ok because:
1. Everything I do over the wireless network internally is using encrypted protocols anyway, and I wouldn't be using non-encrypted protocols for transporting sensitive data externally anyway.
2. There are a bunch of my neighbours' completely unsecured APs visible from my house so I figure if someone is interested in cracking a wireless network, they're probably going to go for the easy option and use one of those networks rather than cracking my WEP key.

Whilst I'm of the opinion that if an AP is left completely open, it should be legal to treat it as a public hotspot, I do still think that if you're having to crack some kind of security, however weak, in order to gain access then you need to be arrested and punished because you're clearly stepping over the line. (And yes, cracking someone's WEP key and router password in order to change their SSID counts as stepping over the line).

Re:Best way to let someone know something's amiss (1)

liquidrocket (3439123) | about a month ago | (#46274919)

I still use WEP on my home network, because I still have a few devices that simply won't reliably do anything better. I figure that this is largely ok because:
1. Everything I do over the wireless network internally is using encrypted protocols anyway, and I wouldn't be using non-encrypted protocols for transporting sensitive data externally anyway.
2. There are a bunch of my neighbours' completely unsecured APs visible from my house so I figure if someone is interested in cracking a wireless network, they're probably going to go for the easy option and use one of those networks rather than cracking my WEP key.

Cracking a WEP key takes minutes and almost zero effort if there is already traffic on the network (and a bit more if there isn't). There may be completely unsecured APs around but whether they are actually as usable as yours depends on 1) the signal quality and 2) how many others are connected to these open APs and sucking up bandwidth. You say that everything using the network is encrypted but that is only half of the problem. The other half is somebody using your network to do (very) illegal things on the internet, all of which you would be potentially liable for. That is, unless you require VPN authentication before allowing internet access.

Re:Best way to let someone know something's amiss (2)

FireFury03 (653718) | about a month ago | (#46275189)

Cracking a WEP key takes minutes and almost zero effort if there is already traffic on the network (and a bit more if there isn't). There may be completely unsecured APs around but whether they are actually as usable as yours depends on 1) the signal quality and 2) how many others are connected to these open APs and sucking up bandwidth.

Smashing a window and entering your home takes minutes and almost zero effort. There may be completely unsecured homes around but whether they are actually as vulnerable depends on 1) the value of anything in the home and 2) how many people are present in the open home at the time.

My point was that placing encryption on a network, however insecure that is, demonstrates that the network is private - anyone who accesses the network has conciously broken into it in the full knowledge that they were committing a crime. Compared to an open network where there may well be no way to know that it wasn't intentionally left open as a hotspot. So, if you break into my network (however trivially) and start screwing with things like SSID settings, I'd want you to be arrested because you were knowlingly committing a crime.

You say that everything using the network is encrypted but that is only half of the problem. The other half is somebody using your network to do (very) illegal things on the internet, all of which you would be potentially liable for. That is, unless you require VPN authentication before allowing internet access.

Where I live, people are not criminally liable for other people's actions, so no, I wouldn't be liable for someone doing something illegal through my network.

Re:Best way to let someone know something's amiss (0)

Anonymous Coward | about a month ago | (#46274283)

No, not really.
The best way is to hide every file in one folder, and THEN have a text file.

People don't check file names unless they don't know what they are looking for.

Hard drive? (0)

Anonymous Coward | about a month ago | (#46273579)

WTF does a ROUTER need a hard drive? That just sounds like a disaster waiting to happen.

Re:Hard drive? (2)

SeaFox (739806) | about a month ago | (#46273605)

For network accessible storage that doesn't require someone to leave a computer up 24/7 to run? The Internet accessibility is so you can get stuff from home when you're away from home.

It's all part of giving Joe Sixpack the abilities of a techie with a FreeNAS server, without making him learn anything about computers or networking -- or security for that matter.

Re:Hard drive? (1, Insightful)

Penguinisto (415985) | about a month ago | (#46273641)

Shit, man - I can do that with a Raspberry Pi, a copy of FreeBSD, a multi-GB MicroSD stick, and I'd get an infinitely more secure solution to boot. :/

Re:Hard drive? (2)

Voyager529 (1363959) | about a month ago | (#46273687)

Shit, man - I can do that with a Raspberry Pi, a copy of FreeBSD, a multi-GB MicroSD stick, and I'd get an infinitely more secure solution to boot. :/

No one is doubting that. I'd venture it a safe wager that nine Slashdotters out of ten can set up some form of network storage using a RasPi or a spare desktop. The reason why router-based access is handy is that most routers take roughly the same electricity as a CFL light bulb, and by definition are network accessible, either via SMB, FTP, or DLNA. You're not putting a Samba share accessible on the WAN port. It's the same principle as the Western Digital Personal Cloud drives, only without using an ethernet port. The routers also allow printer sharing for standard USB printers. As an added bonus, these routers run Transmission along with QoS - no need to leave your desktop on to run your BitTorrent downloads, and the QoS is done at the router level, so instead of the computers competing for the bandwith, the router can give the torrent downloads lowest priority, and /know/ when to flush stale TCP connections. Again, all of this is done at the router level, using whatever USB storage medium happens to be handy.

If you don't see the utility in such a solution and would opt for the RasPi instead, then to each his own, I guess. I personally find the hard disk + router combination to be a lot more compelling.

Re:Hard drive? (3, Funny)

davester666 (731373) | about a month ago | (#46273931)

Wuss.

I can do it with a stick of gum, a hair dryer, a usb jack, an RJ45 jack, some aluminum foil, and several hamsters with a hamster wheel.

And food for the hamsters for as long as you want the device to work.

Re:Hard drive? (1)

jones_supa (887896) | about a month ago | (#46274163)

Shit, man - I can do that with a Raspberry Pi, a copy of FreeBSD, a multi-GB MicroSD stick, and I'd get an infinitely more secure solution to boot. :/

So the idea of the Asus product is that you don't have to do the hours of manual crafting that your solution requires.

Re:Hard drive? (1)

LordLimecat (1103839) | about a month ago | (#46274205)

It also costs about $100 extra and requires a whole bunch of extra configuration and knowhow.

Theres basically no reason not to use your router as your NAS as long as it doesnt have any vulnerabilities and it meets your performance need. Simplicity is a good thing, you know?

Re: Hard drive? (0)

Anonymous Coward | about a month ago | (#46275551)

Everyone everyone! Attention! We've got a l33t haxor here! make way you scumbag windoze and linsux users! he's coming through, so just shut your mouths and dream of touching his long luxurious neck beard!

Re:Hard drive? (1)

JDG1980 (2438906) | about a month ago | (#46273739)

WTF does a ROUTER need a hard drive? That just sounds like a disaster waiting to happen.

These routers don't have a hard drive included. They have a USB port, to which the user can connect an external hard drive, which will then be made accessible on the router's LAN. This lets inexperienced users have network-attached storage without having to go through the process of sharing a network drive (and without having to leave a particular computer powered on all the time). Unfortunately, it looks like they weren't as careful about security in this instance as they should have been.

Re:Hard drive? (1)

SeaFox (739806) | about a month ago | (#46273981)

These routers don't have a hard drive included. They have a USB port, to which the user can connect an external hard drive, which will then be made accessible on the router's LAN.

There's a Netgear [newegg.com] that goes one step further.

Re:Hard drive? (-1)

Anonymous Coward | about a month ago | (#46273807)

WTF would Beta be on Slashdot?

Re:Hard drive? (1)

AHuxley (892839) | about a month ago | (#46273821)

So you can turn your "big" computer off and let your router download a larger file 'overnight' to usb storage if you have a low end adsl connection.
i.e. you put a url to a file into the “Download Master” gui and the file will download onto the usb "hdd" device.

Re: Hard drive? (1)

Anonymous Coward | about a month ago | (#46274301)

Buy a cheap NAS. The Internet facing device should not be an all-in-one device for security reasons.

God (-1, Offtopic)

TempleOS (3394245) | about a month ago | (#46273581)

You attack ASU. You, niggers are wicked retards God will never talk to. 101:1 I will sing of mercy and judgment: unto thee, O LORD, will I sing. 101:2 I will behave myself wisely in a perfect way. O when wilt thou come unto me? I will walk within my house with a perfect heart. 101:3 I will set no wicked thing before mine eyes: I hate the work of them that turn aside; it shall not cleave to me. 101:4 A froward heart shall depart from me: I will not know a wicked person. 101:5 Whoso privily slandereth his neighbour, him will I cut off: him that hath an high look and a proud heart will not I suffer. 101:6 Mine eyes shall be upon the faithful of the land, that they may dwell with me: he that walketh in a perfect way, he shall serve me. 101:7 He that worketh deceit shall not dwell within my house: he that

and this is why smart peiple don't touch windows (-1)

Anonymous Coward | about a month ago | (#46273593)

because of this kind of stuff which linux prevents

Re:and this is why smart peiple don't touch window (4, Insightful)

the_B0fh (208483) | about a month ago | (#46273781)

You realize that open FTP servers used to be the norm? You realize that the RFC itself requires PORT to be open so that you can do a bounce attack?

Please don't be an idiot. This stupidity has nothing to do with windows, and is clearly the fault of Asus and not anything OS related.

Re:and this is why smart peiple don't touch window (2)

aaarrrgggh (9205) | about a month ago | (#46273825)

...oh the irony.

I have a couple of the Asus routers, and I love them. One runs as an openvpn server, the other runs a few services to simplify remote administration of an offsite location. Good little boxes.

But, it has really opened my eyes as to how bad security can be. These systems are at least slightly more secure than the WD drives. Third party firmware adds some levels of complexity, but a whole lot of functionality.

Re:and this is why smart peiple don't touch window (1)

Anaerin (905998) | about a month ago | (#46273849)

Yes. Linux prevents it. Right. And what software do these routers run as their firmware? That's right, a customized version of Linux.

Re:and this is why smart peiple don't touch window (0)

Anonymous Coward | about a month ago | (#46273905)

"a proprietary version of Linux."

I fixed that for you. You can't blame Linux in most cases, you blame the company who has exclusive access to the firmware and judgment of when and what to update.

Re:and this is why smart peiple don't touch window (2)

wonkey_monkey (2592601) | about a month ago | (#46274003)

I thought Asus router firmware was open source.

has ... judgment of when and what to update.

That's more the problem. As I understand it, the last DD-WRT vulnerability was fixed within hours (not that that'll do much good if people aren't keeping it up to date)

Re:and this is why smart peiple don't touch window (0)

Anonymous Coward | about a month ago | (#46274067)

It doesn't matter if it was fixed even before the flaw was found, if nobody applies the patches. Routers and other small devices are "deploy and forget". In the future when your toaster runs linux, do you really want to check & apply updates every hour? And what if the bleeding edge patch breaks the timer/thermo and it burns someone's house down? Laugh at them because the source was open and they could have checked/fixed the code themselves?

Re:and this is why smart peiple don't touch window (1)

LordLimecat (1103839) | about a month ago | (#46274215)

Pretty sure the attack is on an Asus router which if i had to guess is running some unix variant...

not sure if you're trolling or what, but you really never know on slashdot.

I have an Asus RT-N66U with OEM Firmware and... (2)

mandark1967 (630856) | about a month ago | (#46273717)

I don't have to worry about this, AT ALL, because the router only worked for 2.5 hours after installation before it died. so there!

My router keeps reporting no new firmware! (1)

Anonymous Coward | about a month ago | (#46273863)

The best part about this, IMHO, is that my router reports that there is no new firmware. I was able to download it from ASUS and it installed successfully. But had I not seen this article, I would have kept on assuming that mine was the latest and greatest because that is what the router told me.

Holy crap! (1)

Anonymous Coward | about a month ago | (#46273933)

So I try a random IP, paste it in my URL bar (specifying an old, insecure file transfer protocol) and bam next second I'm looking at a guy's medical files (an excel sheet with daily blood sugar levels, what he ate that day, and sometimes comments) and his tax returns. Looked at a few pics too.
Another IP doesn't work immediately, another has the server up but no shares, another has some music and I'm downloading some to try it out, hell I even curlftps'ed in for the sake of it and it works albeit slow. Aww fuck I can even write. Dropping a few music files into an unknown spanish speaking person's short music collection.

For once.. Don't read TFA! makes feel dirty.
I wonder what's so "white hat" about some of the information that is included.

Re:Holy crap! (1)

LordLimecat (1103839) | about a month ago | (#46274223)

you also probably just technically broke the law.

Heres a tip to all voyeurs out there: dont probe random IPs specified as "vulnerable". You probably wont get noticed, but if you are you can get in a whole bunch of trouble. "Unauthorized access" means you unless you have permission.

Re:Holy crap! (0)

Anonymous Coward | about a month ago | (#46274849)

I'm pretty sure it's hacking only when the other end has an expectation of security. In the case of a security vulnerability, the user does expect to be secure, even if wide open. In the case of someone else's story of being at a hotel on their wifi and a fileshare with no password setup, probably not.

This gray text SUCKS! (-1)

Anonymous Coward | about a month ago | (#46273967)

It is so much more straining on the eyes to have gray text on a gray background. WTF happened to slashdot?

Thanks (1)

Gumbercules!! (1158841) | about a month ago | (#46273971)

Genuine thanks. I have one of these models in my office, where there's just a couple of us. Never even thought about it, as we don't use it for anything other than establishing PPPoE on ADSL. Turns out we had those features all turned on, too. No disks attached - but still.

Good or bad? (0)

Anonymous Coward | about a month ago | (#46274165)

An Ars reader by the name of Jerry got a nasty surprise as he was browsing the contents of his external hard drive over the weekend — a mysterious text file warning him that he had been hacked thanks to a critical vulnerability in the Asus router he used

I wouldn't call that a nasty surprise. In fact, I would call it a welcome surprise since it doesn't seem like his files were messed with and he is now aware of a security hole which he can take measures to protect.

Re: Good or bad? (0)

Anonymous Coward | about a month ago | (#46274333)

Welcome? No. I'd be paranoid my private files had been downloaded and/or malware was floating around (either from the same attacker pretending to be nice, or a different malicious attacker)

Dear IT People (4, Informative)

ledow (319597) | about a month ago | (#46274181)

Dear IT People,

Despite what you might think in the modern day, exposing things to the Internet unnecessarily is still just asking for problems. Especially things with firmware rather than regularly- and automatically-updated software.

Yes, we all run websites. Yes, we have RDS and VPN and all kinds of clever technology. And, yes, I'm sure you "keep it up to date" and have 28-digit passwords.

But that doesn't change the fact that the connection that comes into your business/home is "hostile". It receives rogue packets and attacks 24 hours a day whether you know it or not. In fact, it's kind of a credit to most firewalls how LITTLE you actually notice coming down the line because it's just handling all the obvious attacks and scans all the time.

But every port you open, everything you expose past your firewall (and even your firewall can be a problem if it's not good enough to handle unusual packets like a lot of ADSL routers that crash if they get too many connections or large packets, etc.) is a risk. Honestly. It's a risk.

If you buy some cheap piece of commodity hardware and port-forward direct to it on the standard ports, you are relying on the security of that device to keep intruders out - not your firewall.

If it's some cheap router, or some crappy CCTV PVR or a games console or even just a test experiment or network switch or something else in your home, then you are relying on THAT to be a secure gateway from attacks from the Internet. And guess what, the weakest link in the chain will be the first exploited.

Please, before you go exposing this crap to the general Internet, limit its damage potential. Don't put it on your local network, but a VLAN of some kind. Don't forward every port. Don't have things like UPnP enabled (which is just automated, authentication-less port-forwarding). Put some authentication on it. Don't rely on some web interface knocked up by a foreign CCTV manufacturer, intended as a GUI for the local network to be as trusted as your firewall.

Similarly, don't let these cheap, shit ADSL routers to be exposed to the general Internet while having all your personal files on them (and presumably running Samba, Bonjour, FTP, all kinds of shit to the local network to let you access them). Just... don't.

You want to do this kind of thing? Use the VPN functions and make sure you keep on top of their updates and security. They will allow you to join the local network remotely, and that local network can be as insecure as you like with this cheap shit dangling off it unauthenticated if you like, as your VPN access can be secured, logged, audited and checked quite easily.

Don't allow some piece of firmware junk, probably written in some C/Perl CGI/PHP that hasn't been updated since the day it started working enough to be saleable, to be your public face and guardian on the Internet.

The principle applies all the way up too. Don't put AD controllers on the visible Internet. Don't let your public RDS server be the same as your DC or even on the same VLAN. Don't run IIS exposed to the world for some crappy HP utility, or external page.

Do what those weird old tech guys used to do for decades and limit your exposure at all times. Sandboxing, VLAN'ing, permissioning, auditing. And, in the extreme, run a server OUTSIDE your home for this kind of shit. Seriously, VPS and cloud server with large storage allocations are cheap as chips nowadays. And they are kept up to date for you. And if someone compromises them, you have someone to blame AND you can be sure they haven't popped onto your home network and downloaded everything off your private laptop too.

If some random consumer buys this crap and gets attacked, that's their problem. This is a site for damn geeks, though. We should know this kind of stuff. We should be advising against this kind of stuff. I should be able to nmap any one of you, at home or at work, and come up with nothing but a handful of secured ports running the latest software (if anything at all!). It doesn't make us invincible - far from it - but it's the only sensible start.

Limit your attack surface. Sure, it's handy to just run a Windows server, say, and throw it on the net with all the junk enabled and tie it into the local net. Sure, it'll probably do quite a good job if you keep it up to date. Fact is, you want as few "doors" as possible, and as many of them locked down as you can.

I don't claim to be some security guru, here, but honestly why do we think that such open systems as this - a fecking router with a web interface offering a USB storage that's shared out to your local net over Samba - are anywhere near a sensible idea?

How hard is the concept: This is the Internet side. It's exposed and liable to attack. This is the LAN side. It's trusted and insecure and holds lots of data. Let's make sure they are separated by as much as realistically possible?

Every time I see a direct RDS login on a public webpage, every time I see people just logging into home machines using third-party services or direct port-forwards, every time I see some gateway device that even has the OPTION to expose the admin interface to the WAN, I cringe.

Please, just stop it. It in no way makes equivalent services impossible to offer to just wrap it behind a VPN and then pour all your security efforts into that one protocol.

Stop exposing shit to the world.

Re:Dear IT People (1)

Bert64 (520050) | about a month ago | (#46274255)

Secure your internal network too, don't rely solely on your border devices... All it takes is one pinhole and you're totally screwed.
Treat every device as if it was directly connected to the internet, use secure protocols, disable unnecessary features and choose wisely when buying devices. If you then want to hide these devices behind a firewall *as well* then more power to you, but never rely totally on a firewall because eventually they will fail you one way or another.

Re:Dear IT People (2)

ledow (319597) | about a month ago | (#46274379)

That's the way I do things, too, but the critical first step is to secure the borders.

My usual home setup is actually:

Internet router (everything disabled and DMZ enabled so it merely pipes all traffic to next device without processing it, like a modem).
- to -
Router / firewall (which treats all external traffic as hostile).
- to -
Wireless AP and LAN (separate ports / numbering / VLAN)

But even there, the Wireless has client separation (so one dodgy PC on the wireless can't see another), it's treated as "untrusted" to all my client devices (so they are providing software firewall to all traffic too) and they actually VPN into the router/firewall to do everything. Not going to get stung by all that WEP/WPA/WPA2 junk going wrong, historically they just aren't secure enough and I don't trust them.

It blows people's minds that I can give them the wireless key and they STILL can't do anything while my computers (with their VPN keys) work just fine over it, and the performance impact is absolutely negligible even for gaming (it has to go through the same network devices anyway, and there are no more round-trips than normal, just a tiny bit of encryption at each end which on a modern machine isn't worth worrying about). I have guest wireless access which I can manually enable if people are over, and it obviously does nothing more than lets them talk out (not to the LAN).

The router/firewall is the only device "at risk" and I take great care to make it do as little processing as possible and to separate out the networks (wireless is, again, untrusted on that router but it can access the VPN port, LAN is "trusted" and all-cabled, the only external access is via the VPN port).

Almost no impact on my life past setup (have to install the VPN client and keys on a new computer - takes about a minute - and you're putting in WPA2 keys etc. at that stage anyway, so no big deal). The VPN auto-connects and verifies the server whenever it's on the home wireless - I don't have to click anything at all. When an authenticated device is taken outside the home, the same VPN software can connect remotely with the same keys.

None of this MAC authentication crap - a MAC is too easily read and forged. You have to have my VPN keys (and hence, have been seen, verified and installed by me) to get anywhere. They are non-reversible, revokable, and can be limited in any number of ways (i.e. internal but not external access, external access but no file-sharing, etc.)

The setup of the whole thing I have redone every few years when I've moved house or whatever. It never takes very long. My girlfriend has zero problems with it - it all "just works" after a one-minute VPN client/key install. I game and don't notice any problems.

And yet, when you look at the junk in the logs that comes out of a single friend's wireless connection or bounces off from the Internet-side of things, it's scary.

Re:Dear IT People (1)

bill_mcgonigle (4333) | about a month ago | (#46274871)

use secure protocols, disable unnecessary features and choose wisely when buying devices

While absolutely correct, your strategy does not account for 99% of the users who lease Internet connections.

Re:Dear IT People (1)

AmiMoJo (196126) | about a month ago | (#46274569)

Maybe we need to think of operating this kind of equipment more like driving a car. You need to learn how to do it safely, and manufacturers have a responsibility to make sure their products are safe and issue fixes/recalls if problems are discovered.

Allow dumb routers with minimal features for those who don't want all that, and any router with more power has to be developed and operated responsibly.

Re:Dear IT People (0)

Anonymous Coward | about a month ago | (#46274577)

You could have included a TL;DR in the beginning.

The FEB-12-2014 firmware fixes N66 units (4, Informative)

rs1n (1867908) | about a month ago | (#46274517)

As the title suggest, the firmware update on 2/12/2014 supposedly fixes the issues. http://support.asus.com/downlo... [asus.com]

ASUS RT-N66U Firmware version 3.0.0.4.374.4422
Security related issues:
1. Fixed lighthttpd vulnerability.
2. Fixed cross-site scripting vulnerability (CWE-79).
3. Fixed the authentication bypass (CWW-592).
4. Added notification to help avoid security risks.
5. Fixed network place(samba) and FTP vulnerability.

Improvement:
1. Redesigned the parental control time setting UI.
2. Updated multi language strings.
3. Adjusted FW checking algorithm.
4. Adjusted Time zone detecting algorithm.
5. Improved web UI performance.

Asus router self update annoyance. (0)

Anonymous Coward | about a month ago | (#46275241)

Kind of annoying that my RT-N66U STILL does not see this firmware when I tell it to check for updates, even though it was released 6 days ago.

Re:The FEB-12-2014 firmware fixes N66 units (1)

MozeeToby (1163751) | about a month ago | (#46275561)

Did they fix the download master killing ping times? One of the selling points of the router for me and ended up being worthless since it drove latency to 2+ seconds whenever it was enabled.

Connecting USB devices to the internet (1)

drinkypoo (153816) | about a month ago | (#46274581)

Do it with a pogoplug. You can run debian (or allegedly BSD) from an SD card, it gets updated more than the various router firmwares, and you can get one with USB3 for $20 brand new.

RT-N16 will be secured automatically when it dies. (2)

compwizrd (166184) | about a month ago | (#46274585)

Haven't checked into other routers, but the RT-N16 has a "warranty cap". There is a capacitor on the far right of the unit, roughly centered. It's clearly designed to fail after a period of time. The rest of the capacitors are a different brand that isn't generally known to fail, the warranty cap is known to be a defective make.

Normally it takes a bit longer than the actual warranty length to fail.

Re:RT-N16 will be secured automatically when it di (1)

omnichad (1198475) | about a month ago | (#46275269)

Is it easy to recognize? It was still worth it to me to buy a second RT-N16, but I still have the failed one. Would love to resurrect it.

Re:RT-N16 will be secured automatically when it di (1)

drinkypoo (153816) | about a month ago | (#46276129)

It'd probably take you less time to rip it open and find out than to wait for the reply, or even to find pictures in the fcc database

Guerilla-style hacking disclosure?? (1)

WD (96061) | about a month ago | (#46274695)

Give me a break. A vulnerability was disclosed, and then some time after that it was leveraged by attackers in the wild. This is what happens.

School me up - how does this happen? (1)

landoltjp (676315) | about a month ago | (#46274697)

I'm using Bell Fibe in Canada, and they supply a Modem / Router solution. I believe that Rogers (other major ISP) provides similar technology. So for many people they would not have their own router / firewall as first line of defense, they'd have ISP-supplied equipment.

Is it common in Canada or the US for people to just get a WAN Modem / Driver from their ISP and then put their own router into place? Or worse, plug their laptop right into the Driver and hope that MS firewall will keep the wolves at bay?

For wireless, the Bell / Rogers solutions both suck ass, so I disabled wireless and bought a small office WAP to punch a signal through the house where needed (the rest of my stuff is hard-wired to the switch). I don't think that would be an entry point if the security is turned up enough, right?

Re:School me up - how does this happen? (1)

ruir (2709173) | about a month ago | (#46274777)

yes, most of us have a modem router solution. I also have it too. Are you stuck with it? Not necessarily... If you are fortunate like myself, you can disable the routing/wifi functions, configure it in bridge mode, and connect to it proper hardware.

Re:School me up - how does this happen? (1)

geminidomino (614729) | about a month ago | (#46275147)

Unless you're cursed with a Zyxel 5001... That piece of crap completely soils itself if it loses connection (such as might happen given SW Florida's weekly power flickers) in "Transparent bridging" mode. For some reason, it seems completely incapable of reestablishing a connection until I log into the admin panel, set it back to DHCP, and let it reconnect before resetting the whole thing.

I thought about getting a UPS for it, then I decided that if I'm going to spend more dough on it, I'd be better off getting a real DSL modem and ditching the one that the assholes at my ISP can log into regardless of settings. Now I just have to find one.

Not the best ideal to hook storage up to router (0)

Anonymous Coward | about a month ago | (#46275311)

If you want local storage your better off with a server then setting something up through a router. Most router makers don't concern themselves with security as much as ease of setup. The other question will be, is how long will it take Asus to do a firmware revision to correct this if they can?

"a mysterious text file" (0)

Anonymous Coward | about a month ago | (#46275731)

Did something similar to this once during college, we found a student on the campus network who had their entire computer shared with no password. We posted some text files on their desktop warning them of the issue and instructing them how to fix it. I think we even printed off the text file on their printer.

Virus warning (1)

jovius (974690) | about a month ago | (#46276111)

ClamXav on OS X reported a virus infection in one of the files in the archive: ASUSGATE/FTP-dirlist/75.183.112.181.dirlist: JAVA.Exploit.CVE_2012_1723 FOUND

I don't know exactly what to make of that, but be careful.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...