In what appears to be an example of gross negligence, ASUS has apparently left a vulnerability in the majority of their routers completely unpatched for at least 8 months. This vulnerability is actually two different vulnerabilities, which were most recently discovered by ArsTechnica readers that had suspiciously titled text files warning them of the inherent insecurity of their routers. The two primary vulnerabilities have to do with the router’s default FTP settings as well as the router’s AiCloud software which is designed to make the router a cloud-connected storage device but actually opens the users’ data to anyone on the internet to see/access.
In a posting on netfluid titled ASUSGATE: A story about thousands of crimeless victims some hackers publicly disclosed that they had ‘hacked’ into thousands of people’s routers to warn them of their own vulnerabilities due to the settings that they were using in their routers, which were set that way by default. In the posting they state:
ASUSTeK Computer Inc (ASUS) have spent the better part of a year ignoring the fact that their RT-series routers suffer from two CRITICAL security vulnerabilities.
1. Default setting for the ftp-server was to allow anonymous login. ASUS calls this feature â??limitless access rightsâ?. We call this madness.
2. AiCloud usernames and passwords were stored in plaintext in a file available for download without logging in. We call this insanity.
Not only did they ship RT-routers with these vulnerabilities and ignore Kyle Lovetts emails and phonecalls informing them about them. They also failed to provide firmware upgrades where these vulnerabilities were removed for another SIX months. Did they even perform security audits on their products before releasing them? Considering the use of plain-text storage of login credentials we have a really hard time believing they did.
This is not rocket surgery. Anyone with the slightest knowledge or interest in â??securityâ? would know this is unforgivable.
Vulnerability #1 (FTP) gives EVERYONE on the internet access to attached USB storage making it possible to download and upload files. You do not need an untamed imagination to realize the implications this has.
This madness must end and it must end now. ASUS have failed their customers. The internet service providers should all have scanned their networks and warned affected users about this. Did they?
This release includes
- IP-addresses to 12937 ASUS routers with vulnerable FTP and/or AiCloud.
- 6536 complete and 3605 partial lists of files shared from these ASUS routers.
- AiCloud login credentials to 3131 ASUS routers.
We are sorry for exposing innocents in this manner. But this world need to change and change is only possible through revolution and revolution has to come from the people. Because this world is run by bandits who do not give a fuck while they watch the world burn. No fucks given. Lots of cash made. More cash made. Still no fucks given.
You can continue to not give a fuck about your customers. We will watch you create new stories about woe. And we will most certainly write about them.
So, ASUS spent many months ignoring a security researcher that had exposed the issue many months ago and basically did nothing. If you look at ASUS’ line of routers, very many of them feature these features that are discussed in the documentation of both the text file dump on netfluid and on securityfocus.com.
We have contacted ASUS and are hopefully waiting to hear a reply about this issue to hear their side of the story. As it appears right now, there has been quite a bit of gross negligence on the part of ASUS. This bad news about their sloppy router security follows a lawsuit from back in August where Netgear accused them of failing to pass FCC requirements but still sold them anyways.