I use one of the routers affected (AC66U) and I did use it as my only router at the time the vulnerabilities were found and exploited but I didn't make use of the features in the router that allowed it to be taken over.
Asus makes good routers when it comes to the hardware. They are very solid with well chosen components and the software user interface is quite good too. But sadly they dropped the ball when it comes to security and this is a good reason why open source is the way to go.
All of the parts of the router that were susceptible to intrusion were written by Asus themselves. The firmware is based on Tomato and the UI is modified by them and almost all features in the router from the DNS Forwarder, DHCP server, VPN server and VPN client are all powered by open source projects that they include in their firmware.
When it comes to the "Ai" stuff for remote access to files shared by the router and so forth this is all 100% Asus developed. There is a saying in programming circles, do not write your own crypto. And I feel that ethos that you shouldn't make your own encryption system due to flaws you can't perceive should extend to a lot of other things when possible. Don't write your own remote administration function, don't write your own remote file/folder share system. There is no need, there are well established and secure open source alternatives.
I'm really disappointed in Asus that they allowed this to happen and although I no longer use their router as anything more than a WiFi access point in my setup I still feel jaded and reluctant to give them money after this event. They put thousands of peoples personal information in jeopardy because they didn't do security auditing with a reputable outside firm which is a must for all internet connected devices.
I hope this sort of thing will drive more people to examine the products they purchase more closely and evaluate how much trust they put in them, I don't think I'll ever go back to using a consumer grade router to protect my home again after using an open source alternative.
Also off topic but I use an Asus motherboard which has a feature called EZ Update to keep the Asus supplied software for the motherboard upto date. This is common among motherboard makers where they will bundle sound drivers, wifi drivers, bluetooth drivers, system monitoring software and so on. I happened to notice that EZ Update queries a HTTP url and gets the updates from a webserver.
There is no auxiliary checks performed beyond a text file listing the version number and the download to the binary. That means a sophisticated attack could be performed whereby you change the hosts file to point the asus servers to one you control or somehow get the domain from Asus through social engineering their domain register and you would be able to send downloads to millions of peoples computers. This EZ Update feature is included by default on all Asus laptops of which they sell millions a year.
It doesn't use HTTPS, none of the downloads are signed, there is no secondary authority on a different domain to verify downloads, there is no PGP or CRC checks. Nothing. If a download is there and the version number is higher than what you have installed it just downloads the file no questions asked. Asus and the other OEM's need a serious wakeup call.
