gfxgfx
 
Please login or register.

Login with username, password and session length
 
gfx gfx
gfx
74987 Posts in 13105 Topics by 2619 Members - Latest Member: rjvdmeijden December 03, 2016, 09:40:24 AM
*
gfx*gfx
gfx
WinMX World :: Forum  |  Discussion  |  WinMx World News  |  Feds spank Asus with 20-year audit probe for router security blunder
gfx
gfxgfx
 

Author Topic: Feds spank Asus with 20-year audit probe for router security blunder  (Read 233 times)

0 Members and 1 Guest are viewing this topic.

http://www.theregister.co.uk/2016/02/23/asus_router_flaws_settlement/

Asus has settled its case with the US Federal Trade Commission (FTC) after hackers pwned nearly 13,000 home routers via an unpatched security flaw.

The case arose in February 2014, when miscreants used an easily exploitable flaw in Asus's home router line to take control of 12,900 systems in the US. An investigation by the FTC found a catalog of serious security failures in the company's firmware and some very dodgy practices when it came to updates.

Offline Pri

  • MX Hosts
  • *****
  • *****
Re: Feds spank Asus with 20-year audit probe for router security blunder
« Reply #1 on: February 25, 2016, 09:20:35 PM »
I use one of the routers affected (AC66U) and I did use it as my only router at the time the vulnerabilities were found and exploited but I didn't make use of the features in the router that allowed it to be taken over.

Asus makes good routers when it comes to the hardware. They are very solid with well chosen components and the software user interface is quite good too. But sadly they dropped the ball when it comes to security and this is a good reason why open source is the way to go.

All of the parts of the router that were susceptible to intrusion were written by Asus themselves. The firmware is based on Tomato and the UI is modified by them and almost all features in the router from the DNS Forwarder, DHCP server, VPN server and VPN client are all powered by open source projects that they include in their firmware.

When it comes to the "Ai" stuff for remote access to files shared by the router and so forth this is all 100% Asus developed. There is a saying in programming circles, do not write your own crypto. And I feel that ethos that you shouldn't make your own encryption system due to flaws you can't perceive should extend to a lot of other things when possible. Don't write your own remote administration function, don't write your own remote file/folder share system. There is no need, there are well established and secure open source alternatives.

I'm really disappointed in Asus that they allowed this to happen and although I no longer use their router as anything more than a WiFi access point in my setup I still feel jaded and reluctant to give them money after this event. They put thousands of peoples personal information in jeopardy because they didn't do security auditing with a reputable outside firm which is a must for all internet connected devices.

I hope this sort of thing will drive more people to examine the products they purchase more closely and evaluate how much trust they put in them, I don't think I'll ever go back to using a consumer grade router to protect my home again after using an open source alternative.

Also off topic but I use an Asus motherboard which has a feature called EZ Update to keep the Asus supplied software for the motherboard upto date. This is common among motherboard makers where they will bundle sound drivers, wifi drivers, bluetooth drivers, system monitoring software and so on. I happened to notice that EZ Update queries a HTTP url and gets the updates from a webserver.

There is no auxiliary checks performed beyond a text file listing the version number and the download to the binary. That means a sophisticated attack could be performed whereby you change the hosts file to point the asus servers to one you control or somehow get the domain from Asus through social engineering their domain register and you would be able to send downloads to millions of peoples computers. This EZ Update feature is included by default on all Asus laptops of which they sell millions a year.

It doesn't use HTTPS, none of the downloads are signed, there is no secondary authority on a different domain to verify downloads, there is no PGP or CRC checks. Nothing. If a download is there and the version number is higher than what you have installed it just downloads the file no questions asked. Asus and the other OEM's need a serious wakeup call.

WinMX World :: Forum  |  Discussion  |  WinMx World News  |  Feds spank Asus with 20-year audit probe for router security blunder
 

gfxgfx
gfx
©2005-2016 WinMXWorld.com. All rights reserved.
SMF 2.0.12 | SMF © 2016, Simple Machines
Page created in 0.045 seconds with 23 queries.
Helios Multi © Bloc
gfx
Powered by MySQL Powered by PHP Valid XHTML 1.0! Valid CSS!