The ASUS Router Vulnerability: Close to something really bad
In 2013, Kyle Lovett, a senior penetration tester at Veracode, purchased an Asus router N66, highly popular among IT professionals for its impressive hardware. However, upon setting it up, he discovered several significant security flaws. The default username and password were set to ‘admin’ and users were not prompted to change them. The router also had a VPN, an FTP server, Samba for file sharing, and several web servers running by default. Lovett changed the default password and began testing the router as he would a normal web application. He found that port 21 was open with anonymous access, meaning anyone who knew the router’s IP could access personal photos and data from the internet without a password. The password was stored in clear text in an unprotected directory structure, making it easy for any guest in his home to find the router’s password. Additionally, the AI Cloud service allowed remote access with a clear text password.
Realizing the severity of these vulnerabilities, Lovett checked online and discovered that at least 50,000 people were running the vulnerable FTP server. Concerned about these widespread security flaws, he tried to contact Asus. After receiving no response to his initial emails, he disclosed the clear text password vulnerability online, which was picked up by various outlets. This partial disclosure prompted Asus to fix some issues, but the FTP problem remained unresolved for months. Eventually, Asus addressed all reported bugs.
In 2016, the US Federal Trade Commission sued Asus for not addressing security issues in a timely manner. This lawsuit resulted in orders for Asus to conduct security audits and notify customers of updates until 2036. Despite the fixes, many users remained vulnerable due to unpatched routers. Lovett never sought a bounty reward for his findings and appreciated the support from US-CERT in handling disclosures. He believes security is often an afterthought for many vendors and advocates for better testing to prevent such vulnerabilities.
Lovett’s discoveries highlighted the critical importance of robust security measures in consumer devices. The default settings on the Asus router, such as the default ‘admin’ username and password, were a significant security risk. He noticed that many features, including a VPN, FTP server, and multiple web servers, were enabled by default, which further exacerbated the security risks. Lovett’s testing revealed that these settings allowed unauthorized access to personal data through open ports, specifically port 21.
Lovett’s investigation did not stop at his router. He found that many other users were at risk due to similar security flaws. The clear text storage of passwords in an unprotected directory was a glaring vulnerability. His findings showed that this issue was not isolated; it affected thousands of users who were unaware of the risks posed by their routers.
Lovett’s attempts to contact Asus were initially met with silence, prompting him to take his findings public. This move pressured Asus into action, but it also underscored the broader issue of vendor responsibility in addressing security vulnerabilities. The partial disclosure of the clear text password vulnerability garnered significant attention and finally led to some corrective measures from Asus.
The FTC’s involvement brought additional scrutiny to Asus’s handling of security issues. The resulting legal action mandated that Asus improve its security practices and maintain transparency with customers regarding security updates. Despite these measures, the persistence of unpatched routers highlighted the ongoing challenges in ensuring device security.
Throughout this process, Lovett remained focused on improving security for all users. He never sought financial compensation for his discoveries, instead valuing the assistance from US-CERT in managing the disclosure process. Lovett’s experience emphasized the need for vendors to prioritize security and conduct thorough testing to identify and mitigate potential vulnerabilities.
In summary, Kyle Lovett’s work exposed significant security flaws in a widely used consumer device, leading to increased awareness and legal action to improve security practices. His efforts demonstrated the importance of vigilance and proactive measures in maintaining the security of consumer technology.
#asusrouter #asusroutervulnerability #asusroutervulnerability2022 #asusroutervulnerability2023 #asusroutervulnerabilityexploit #asusroutervulnerabilityexploitreddit #asusroutervulnerabilitygithub
Comments on 'The ASUS Router Vulnerability: Close to something really bad' (0)
Comments Feed