DECEMBER 2014
Misfortune Cookie lets bad guys hack 12 MILLION routers
Home office: mis.fortunecook.ie
This is a real bad one. A flaw in the web server software in the router can allow bad guys to remotely take over a vulnerable router with admin privileges.
The buggy web server software is RomPager from AllegroSoft. It is found in routers made by D-Link, Edimax, Huawei, TP-Link, ZTE, ZyXEL and others.
Testing by Check Point, which went public with the problem, found 200
different router models contained the bug.
There are at least 12 million such devices in 189 countries across the globe according to Check Point.
The bug was introduced in 2002 and fixed by AllegroSoft in 2005, but the updated version never made it to millions of routers. Read the last
sentence again. Exploiting the flaw is easy, a bad guy just needs to send HTTP cookie files that corrupt memory. Turning off remote administration does not
fix this. Many routers listen on port 7547 for commands using the TR-069 protocol (a.k.a
Customer Premises Equipment WAN Management Protocol).
Check Point suggests making sure that your router is not listening on ports 80, 8080, 443 and 7547. This list, however, is not complete. One good way to
test these ports is with Steve Gibsons Shields UP! service. Do a "User specified custom port probe" and in
the white rectangle enter "80,443,7547,8080". See a sample of a perfect report. That said,
The only real way to know if a router is vulnerable to this flaw is to check with the manufacturer. Good luck with that.
I say this often, but not often enough: do not to use a consumer class router.
NOVEMBER 2014
Three Cisco bugs
Cisco patches serious vulnerabilities in small business RV Series routers
by Lucian Constantin of IDG News Service November 6, 2017
Cisco Systems released patches for its small business RV Series routers and firewalls to address vulnerabilities that could allow attackers to execute arbitrary commands and overwrite files on the vulnerable devices. The affected products are the RV120W, RV180, RV180W and the RV220W. One flaw let an authenticated user execute arbitrary commands as root. Another lets bad guys execute CSRF attacks against already authenticated users. Much worse is a third flaw that lets an unauthenticated attacker upload files with root privileges to arbitrary locations. The article said nothing about why a bug first reported in June 2013 took so long to fix.
Bug in Belkin N750 router
Serious Root Access Bug in Belkin N750
Router
by Brian Donohue of Kaspersky November 7, 2014
A vulnerability exists in the guest network Web interface of the Belkin N750 DB Wi-Fi Dual-Band N+ Router. Guest networks are enabled by default and they do not require a password. Thus, the flaw can be exploited by a local, unauthenticated attacker. The bug allows full control of the router. This was discovered by
Marco Vaz of Integrity Labs. The company reported the bug to Belkin on Jan. 24, then they sent a proof-of-concept exploit on Jan. 28th. Belkin issued updated
firmware resolving the problem on March 31st.
OCTOBER 2014
D-Link WPS is more insecure than usual
Reversing D-Links WPS Pin Algorithm
by Craig Heffner October 31, 2014
Consumer routers all have a WPS pin code. You can see it on the label on the bottom. WPS is a huge security flaw. Anyone who knows the WPS pin code can get into all the wireless networks created by the router. Think of it as a back door. WPS should always be disabled. Anyone can turn over your router, take a picture of the label on the bottom and then get into your wifi network(s) forever. That's bad enough. This article makes things even worse.
Quoting: " ... this code is using a simple algorithm to generate the default WPS pin entirely from the NIC portion of the devices WAN MAC address ... Since the BSSID is only off-by-one from the WAN MAC, we can easily calculate any DIR-810Ls WPS pin ... this algorithm ... appears to have been in use for some time, dating all the way back to 2007 when WPS was first introduced. "
In other words: All routers advertise a MAC (Ethernet) address in the clear. WiFi Analyzer is a free popular app for Android that displays the MAC address for each detected WiFi network. Feed this MAC address into a formula and out comes a WPS pin code. With this pin code you can logon to that router forever, regardless of WPA or WPA2 security. WPS is a back door. Lazy work by D-Link to create a formula as opposed to randomly creating WPS pin codes. 2 D-Link routers are confirmed to be vulnerable to this flaw. 16 are not vulnerable. The author later added "WPS pins generated from MAC addresses is not new, several other devices/vendors have been caught doing it in the past."
What to do? Turn off WPS, or better yet, don't buy a router that supports WPS at all.
Three flaws in multiple Linksys routers
Linksys SMART WiFi firmware contains multiple vulnerabilities
Vulnerability Note VU#447516 by Todd Lewellen October 31, 2014
Bug1: A remote, unauthenticated attacker can read the router's .htpassword file by requesting http(s)://routeripaddress/.htpasswd. This file contains
the MD5 hash of the administrator password. Bug2: A remote, unauthenticated attacker can issue various JNAP calls by sending specially-crafted HTTP
POST requests to http(s)://routeripaddress/JNAP/. Depending on the JNAP action, the attacker may be able to read or modify sensitive information.
Bug3: The router exposes multiple ports to the WAN by default. Port 10080 and 52000 both expose the administrative web interface to WAN users.
Depending on the model, additional ports may be exposed by default as well. Affected models include the EA2700, EA3500, E4200v2, EA4500, EA6200,
EA6300, EA6400, EA6500, EA6700 and EA6900. There is updated firmware available to fix these bugs on most, but not all, routers.
NAT-PMP protocol flaws affect over 1 million devices
NAT-PMP Implementation and Configuration Vulnerabilities
by John Hart from Rapid7 October 21, 2014
Background: NAT-PMP is Network Address Translation - Port Mapping Protocol. It can be found on many
routers and other networking devices. NAT-PMP allows LAN side computing devices
to poke a hole in the routers firewall (technically to send port mapping instructions to the router). NAT-PMP was designed by Apple who uses it for Back to
My Mac. It uses UDP ports 5350 and 5351. NAT-PMP was intended only to be used on the LAN side of a router. As such, it has no security at all.
Rapid7 Labs scanned the Internet and found 1.2 million devices that responded to
NAT-PMP commands. There should not have been any. Internal good. External bad. It's as if a doctor operated on the wrong leg. This illustrates one of the
main reasons to avoid all consumer routers - the people writing the software/firmware stink at their job. This is disgraceful. Bad guys can abuse NAT-PMP
in five ways: Intercept Internal NAT Traffic, Intercept External Traffic, Access internal NAT client services, Denial of Service attack and Information Disclosure
about the NAT-PMP device. For assorted reasons, Rapid7
did not disclose a list of vulnerable devices. The only defense offered is to disable NAT-PMP. It would also be a good idea to inspect the port mappings
in the router every now and then.
Belkin routers could not connect to the Internet for a day
Having problems connecting your Belkin router to the Internet? (They're fixed)
by Mark Hachman of PCWorld October 7, 2014
Several models of Belkin routers refuse to connect to the Internet. The problem was likely with a "heartbeat" server not responding.
This, in turn, caused the routers to think that their connection to the Internet was dead, even though it was fine. In addition, the Belkin website was down. Jan Willem Aldershoff reported that
"Belkin routers ping heartbeat.belkin.com frequently to diagnose themselves and also that URL is not reachable."
Netis router fix is a scam
Netis Router
Backdoor Patched But Not Really
by Tim Yeh of Trend Micro October 3, 2014
Quoting: "Late last month, we reported about a backdoor vulnerability that we discovered in Netcore/Netis brand routers ... Now, it seems that Netis has addressed the vulnerability with a firmware update ... So, what does the update actually do? Well, instead of removing the code that pertains to the backdoor (which is in essence an open UDP port), the update instead closes the port and hides its controls ... the backdoor is still in the router - just that its closed by default, and only someone who already knows about the backdoor itself and has the technical knowledge to open it can access it." Code was added that allows the backdoor to be controlled with a hidden function in
the web interface of the router. The author thinks opening the port requires LAN side access to the router and the router password. My guess
is that its easier than that. The initial bug report from August is below.
SEPTEMBER 2014
Guessing the router password, then asking for it
Brazilian, U.S.
Web Users Targeted by Router-Hacking Group
By Robert Lemos September 3, 2014
An email message lures potential victims to an attacker-controlled Website where the bad guys
use JavaScript to mount a dictionary attack against the router.
The attack does not exploit a vulnerability. It appears to have affected 3,300 victims in three days. If the victim has not changed the default
password for their router, the bad guys get in silently. If they can't guess the password, "then the Website will pop up a prompt asking you to
enter it manually." Abusing non-techies. When they get in, the bad guys change the DNS servers to point to scam copies of Brazilian bank
websites.
Compromised website tries to hack router
Compromised Website
Used To Hack Home Routers
by Fioravante Souza of SucuriLabs group September 11, 2014
Yet another case of a hacked
website trying to change the DNS configuration in a router. It first learned the private IP address of the victim, then it guesses the router IP address and
brute forces the router admin credentials. Illustrates how important it is to change the router password.
Two implementations of WPS are extra buggy
Using WPS on your Wi-Fi router
may be even more dangerous than you think
by Paul Ducklin of Sophos September 2, 2014
I already thought that enabling WPS was pretty darn dangerous since it is quite vulnerable to brute force attacks. In fact, I can not recommend
any router that supports WPS. I know, you can disable it, but I would rather not have it installed at all. And now, another reason to avoid WPS.
A Swiss researcher, Dominique Bongard, discovered a new problem with it. As with most encryption, WPS depends on random numbers. Bongard found that
a couple firmwares make poor choices for their
random numbers. This opens up a security hole in the protocol making it possible to brute force the WPS pin code much faster than before. Vulnerable routers
can now be attacked to yield the WPS pin code in seconds. One firmware was an absolute disgrace, using the exact same "random" number every time.
AUGUST 2014
Two million Netcore/Netis routers hackable through an open UDP port
Netis Routers Leave
Wide Open Backdoor
by Tim Yeh Trend Micro August 25, 2014
Routers manufactured by Netcore, a popular brand in China, have a wide-open backdoor that can be easily exploited. They are also sold under the Netis brand
outside of China. The vulnerability lets bad guys run arbitrary code on the routers. The backdoor is UDP port 53413 being open. The port is accessible
from the WAN side of the router. The port is protected by a password but all Netcore/Netis routers have the same password. Almost all Netcore/Netis routers
appear to have this vulnerability. We found more than two million IP addresses with the open UDP port - almost all of them in China. This flaw gives an
attacker near-complete control of the router.
A hacking contest reveals 15 new router bugs
Fifteen
new vulnerabilities reported during router hacking contest
by Lucian Constantin August 12, 2014
Here is my argument to avoid all consumer routers in a nutshell. Quoting: "... only four of the reported vulnerabilities were completely new.
The other ones had been discovered and patched in the past in other router models from the same manufacturers, but the vendors did not fix them
in the routers selected for this competition." What a disgrace. These routers were fully compromised: ASUS RT-AC66U, Netgear Centria WNDR4700 (which suffered two separate hacks), Belkin N900, TRENDnet TEW-812DRU and an Actiontec Electronics used by Verizon.
Eleven of the 15 bugs were found by Craig Young of Tripwire.
TR-069 is miserably implemented by ISPs
Home routers supplied by ISPs can be compromised en masse
by Lucian Constantin of IDG News August 10, 2014
As of 2011, there are 147 million TR-069-enabled devices online listening on TCP port 7547. In fact, its the second most frequently open port. These devices communicate with Auto Configuration Servers (ACS) operated by ISPs for assorted network management tasks. Many times a router can not close the port. If an attacker hacks into the ACS server(s) then lots of bad stuff can happen. According to Shahar Tal, a security researcher at Check Point Software, ACS servers can be easily taken over by bad guys.
The TR-069 specification recommends the use of HTTPS but he found that insecure HTTP is used about 80 percent of the time, opening routers up to man-in-the-middle attacks. TR-069 requires authentication from the device to the ACS, but the username and password is typically shared and easily extracted. Check Point also tested several ACS servers and found critical remote code execution vulnerabilities in them.
MAY 2014
NSA hacks routers as far back as 2010
Glenn Greenwald: how the NSA tampers with US-made internet routers
in The Guardian May 12, 2014
OK, this does not refer to a bug, but it is a router security issue. Quoting: "A June 2010 report from the head of the NSA's Access and Target Development department is shockingly explicit. The NSA routinely receives – or intercepts – routers, servers and other computer network devices being exported from the US before they are delivered to the international customers. The agency then implants backdoor surveillance tools, repackages the devices with a factory seal and sends them on. The NSA thus gains access to entire networks and all their users. "
Buffalo router with DD-WRT would reboot forever
AirStation AC 1750 DD-WRT Router review
by Dong Ngo of CNET May 15, 2014
The router in question has is pros and cons, but the Editors note at the beginning caught my eye: "This review was delayed for a few months due to a bug that would put the router in an infinite boot loop in certain settings, effectively rendering it useless. This bug has now been fixed via a new firmware
version." No need to worship at the feet of DD-WRT.
APRIL 2014
Sercomm backdoor is better hidden rather than removed
The SoHo router
backdoor that was "fixed" by hiding it behind another backdoor
by Paul Ducklin of Sophos April 23, 2014
A backdoor was found in routers from Sercomm (a.k.a. Netgear, Cisco/Linksys and Diamond) back in December 2013 and got publicity in January 2014.
The flaw was supposed to have been fixed in April 2014 with the release of new firmware, but what instead happened was that the backdoor was
just hidden better. Really really really well hidden. So well, that at first, it appears to have been removed. And activating the backdoor was made really hard,
but, not impossible. The backdoor can no longer be activated over the Internet. Version 2 can only be activated from inside the LAN (does not scale very well)
or by your ISP. A reasonable person might assume that ISPs are complicit in spying. If this doesn't get you angry, nothing will. If this doesn't get you
to step away from consumer grade routers, nothing will. For more see the January 2014 section below.
Australian ISP configures Netgear gateways so they are totally vulnerable
Default password leaves tens of thousands of Optus cable subscribers at risk
by Ben Grubb of the Sydney Morning Herald April 4, 2016
Australian ISP Optus has configured thousands of Netgear CG3000v2 devices (they are gateways, combination modem, router and telephone adapter) with the same default password for both SSH and Telnet. Of course, the password was "admin". Customers can't change the password. Optus did this so that they could administer the devices
remotely. Netgear wants no part of this, they said they "did not introduce the configuration problem and [they] added that the CG3000v2 modem was only supplied to
Optus, not other telcos". An Optus customer could screw with the devices of other customers including: making and receiving phone calls as another customer, seeing
someone else's call history, changing Wi-Fi passwords and more.
A ZyXEL N300 NetUSB router has a ton of bugs
ZyXEL Wireless N300 NetUSB Router NBG-419N devices contain multiple
vulnerabilities
by an anonymous reporter April 11, 2014
The buggy router is the ZyXEL Wireless N300 NetUSB NBG-419N running firmware version 1.00(BFQ.6)C0, and possibly earlier versions. Authentication for
content located in any subdirectory of the web root may be bypassed. There is a hard-coded password of qweasdzxc (looking at a keyboard will show where
this came from). Six different functions are vulnerable to buffer overflows. Four functions are vulnerable to command injection. A LAN side only process
supports five functions that are vulnerable to command injection. No known workarounds. And, in May 2015, the NetUSB function itself had a security
flaw.
Things are bad in router-land
Users face serious threat as hackers take aim at routers, embedded devices
By Lucian Constantin April 3, 2014
Lead: "Home routers and other consumer embedded devices are plagued by basic vulnerabilities and can't be easily secured by non-technical users, which means they'll likely continue to be targeted in what has already become an increasing trend of mass attacks. Computer OSes have advanced considerably from a security standpoint over the last decade ... However, routers, modems, wireless access points and other plug-and-forget devices have lagged behind as their makers lacked strong incentives to secure them. As a result, those devices can now pose a significant threat to the online security of users ... "
Windows malware targeting routers from TP-Link, D-Link, ZTE and Huawei
Sality malware, growing old, takes on a new trick
By Jeremy Kirk of IDG News April 2, 2014
A botnet has taken on a new trick: brute-forcing routers that have easy-to-guess passwords. The malware behind the botnet, called Sality by
ESET is targeting 14 routers from TP-Link, three from D-Link, two made by ZTE and one from Huawei. If it can login to the router, it changes the default DNS servers, a popular tactic. If a victim tries to go Facebook or Google, they get redirected to a fake Chrome browser download page.
SFR (a French ISP) ADSL/Fiber Boxes vulnerable
39 Type-1 XSS in SFR DSL/Fiber Box
By alejandr0 April 1, 2014
According to their website, SFR has over 5 million broadband customers. The user has to be
logged in to the router for the flaws to be exploited.
MARCH 2014
300,000 routers around the world had DNS servers changed
Hackers
hijack 300,000-plus wireless routers, make malicious changes
by Dan Goodin at ArsTechnica March 3, 2014
A report from Team Cymru, an internet security research organization, found routers from D-Link, Micronet, Tenda, and TP-Link were
hijacked. That is, they had their DNS servers modified. It is thought that multiple flaws were involved. The telltale sign that a router has
been compromised is DNS servers of 5.45.75.11 and 5.45.76.36.
FEBRUARY 2014
Survey: IT folks have vulnerable routers at home
Majority
of SOHO Wireless Routers Have Security Vulnerabilities
by Shelley Boose of Tripwire February 24, 2014
Tripwire studied both IT folks and routers. On the people side, they surveyed 653 IT and security professionals and 1,009 employees who
work remotely in the U.S. and U.K. Lots of these people did not change the default passwords on their routers nor the LAN side IP address. They
also fail to upgrade the firmware and turn off WPS. On the hardware side they say: "Tripwires Vulnerability and Exposure Research Team
(VERT) has analyzed the security provided by the most popular wireless routers used in many small and home offices and found that 80 percent
of Amazons top 25 best-selling SOHO wireless router models have security vulnerabilities. Of these vulnerable models, 34 percent have publicly
documented exploits that make it relatively simple for attackers to craft either highly targeted attacks or general attacks targeting every
vulnerable system they can find."
And another Linksys router bug
More trouble for Linksys home, small office
routers
by Michael Mimoso of Kaspersky Threatpost February 18, 2014
Despite this coming to light just after TheMoon worm, this is a different issue. It was discovered by researcher Kyle Lovett and has mostly been ignored by
Linksys. Quoting: "Lovett reported the bug to Linksys last July and did a partial disclosure a month later to alert users after Linksys failed to produce a fix. Lovett said his last email to the company two weeks ago regarding the vulnerability went unanswered." The bug in the Linksys EA2700, EA3500, E4200 and EA4500 routers can leave port 8083 open. Worse, the router web interface can show that remote management is disabled, but due to this flaw, it is not only enabled, but there
is also no authentication. The router is a sitting duck for bad guys. Shodan can easily pinpoint routers that have port 8083 open, there are said to be about 30,000
of them. You can test if your router is vulnerable by browsing to: http://1.2.3.4:8083/ where 1.2.3.4 is your public IP address. If it is vulnerable, you will be placed into
the admin console, with no prompt for authentication.
More on TheMoon
There is now an exploit for "TheMoon" worm targeting Linksys routers
by Lucian Constantin IDG News Service Feb. 17, 2014
Technical details about a vulnerability in Linksys routers have been released along with a proof-of-concept exploit and a list of potentially vulnerable models.
Last week, security researchers from the SANS Institute's Internet Storm Center identified a self-replicating malware program that exploits an authentication bypass vulnerability to infect Linksys routers. The worm has been named TheMoon. The following models are potentially vulnerable: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N. Belkin, which now owns Linksys, pointed out that the flaw can only be exploited if Remote Management is enabled and that it is disabled by default.
TheMoon malware on Linksys routers
Bizarre attack infects Linksys routers with self-replicating malware
by Dan Goodin of ArsTechnica Feb. 13, 2014
An ongoing attack infects wireless routers from Linksys with self-replicating malware. Johannes B. Ullrich, CTO of the Sans Institute, confirms that the malicious worm has infected around 1,000 Linksys E1000, E1200, and E2400 routers, although the actual number of hijacked devices worldwide could be much higher. Virtually the entire Linksys E product line is thought to be vulnerable. The attack begins with a remote call to the Home Network Administration Protocol (HNAP) which allows ISPs to remotely manage routers. Compromised routers remain infected until they are rebooted. The objective behind the ongoing attack remains unclear.
USB storage devices plugged into Asus routers are visible everywhere
Dear Asus router user: You've been pwned, thanks to easily exploited flaw
by Dan Goodin of ArsTechnica Feb. 17, 2014
Plug an external hard drive into the USB port of an Asus router and everyone in the world can read it.
The vulnerability was initially disclosed 8 months ago. Researcher Kyle Lovett found the bug and went public with it only after privately contacting Asus and being told the reported behavior "was not an issue." The bug is un-authenticated directory traversal which results in full sensitive file disclosure. Affected models are: RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16 and RT-N16R. Asus reportedly patched the vulnerabilities late last week. Note that this relates to bugs in the AiCloud feature and not the insecure defaults for Asus FTP which was reported in
January 2014.
DNS hijacking in Poland sends victims to scam banking sites
Large-scale DNS redirection on home routers for financial theft
by CERT Polska, the Polish Computer Emergency Response Team Feb. 6, 2014 (alternate URL)
Thousands of home routers in Poland had their DNS settings changed to enable Man-in-The-Middle attacks on the websites of five Polish banks.
Specifically, the bad guys added JavaScript that tricked users into giving up their usernames, passwords and TANs [transaction authentication numbers].
Say good-bye to your money. Quoting PC World: "Polish IT security outfit Niebezpiecznik.pl linked the attacks to a vulnerability reported last
month in ZyNOS, a router firmware created by ZyXEL Communications thats apparently also used in some router models from other manufacturers
including TP-Link, ZTE, D-Link and AirLive. The vulnerability allows attackers to download a file containing the routers configuration without authentication.
The file can then be unpacked and parsed to extract the password for the routers administrative interface."
JANUARY 2014
Sercomm flaw, the beginning
Gaping admin access holes found in SoHo routers from Linksys, Netgear and others
by Paul Ducklin of Sophos January 3, 2014
A backdoor exists in various router products from Sercomm which allows a remote attacker to gain full access to the device. Sercomm produces routers under
its own name, as well as building hardware sold under a
diverse range of brand names, including 3Com, Aruba, Belkin, Linksys, Netgear and Watchguard. Not all Sercomm-based products use Sercomm's firmware,
and not all Sercomm firmware builds include the backdoor. This was discovered by Eloi Vanderbeken, during Christmas 2013. He found a TCP service
listening on port 32764. This was ONLY THE BEGINNING! See April 2014 for the conclusion to this.
BrightBox router, provided by EE in the UK, easily hackable
EE BRIGHTBOX ROUTER HACKED - Bares All If You Ask
Nicely
by Scott Helme January 14, 2014
Quoting Mr. Helme: "Shortly after having my new fibre broadband installed, I discovered a method to permanently compromise the security of
the BrightBox router provided by EE. After a brief period of traffic analysis ... I had found that it is incredibly easy to access sensitive information. This includes
the md5 hash of the device admin password and my ISP user credentials, amongst other sensitive data ... this not only leads to a total compromise of the
device, but gives an attacker control of your account too." His router was a standard
issue from the ISP. As I write this, over a year after the flaw became public, EE still touts this router as "secure".
From the LAN, without logging in to the router, merely entering "http://192.168.1.1/cgi/cgi_status.js" yields almost every single piece of sensitive
information stored on your router. He also found lots of password sloppiness. Back in Jan. 2014 it was estimated that EE had around 714,000 subscribers in the UK.
TP-LINK Routers cough up their passwords
More than 200,000 Algerian TP-LINK Routers are vulnerable to Hackers
by Mohit Kumar of The Hacker News January 15, 2014
Algerie Telecom provides TP-LINK TD-W8951ND routers to customers that can be remotely exploited. The web page that lets you upgrade the firmware
also lets anyone, without a password, download a backup file. The file contains the encrypted administrative password of the Router. The password can be
decrypted with a free online service.
NETGEAR N150 router divulges its password
MIT(R)M Attacks - Your middle or mine?
by c1ph04 January 11, 2014
There is a vulnerability in the password recovery feature of NETGEAR N150 wireless router identified as WNR1000v3. The bug lets anyone on the LAN learn the router userid and password. This was discovered and reported in April 2013 and it has not been patched. The router is vulnerable even if password recovery is disabled. A Shodanhq search for WNR1000v3 reveals almost 14,000 hits. Getting Netgear to acknowledge the problem was very difficult. Quoting: "I attempted desperately to report the vulnerability to the vendor directly. This process was soooooo insanely difficult that it actually drove me to about 18 seconds of maniacal laughter. I seriously don't know if the internal communication was just horrible (I actually started getting emails back from the vendor addressing me as "Ms. Difrank"), or if they just DO NOT CARE! "
Asus routers exposing USB devices via insecure FTP
Default
settings leave external hard drives connected to Asus routers wide open
by Mikael Ricknas of IDG News Service January 9, 2014
Shared storage that can be remotely accessed via FTP is convenient, but if products aren't configured correctly, personal data can become accessible to
anyone with basic technical knowledge. This what happened on many Asus routers, files connected to the USB port were easily accessible over the Internet.
Rather than a bug, this was a case of insecure defaults and miserable documentation. If USB access was configured with an Asus wizard, the end user
had three options: "limitless access rights", "limited access rights" and "admin rights". What do these mean? It was none of
your business. The default was unlimited access. Anyone who chose "limited access rights" then saw an option to set up a user called
"Family" and it was suggested that you use the password "family". Ouch. Asus decided to develop a firmware update with better
explanations and more secure defaults. Not mentioned in this article, or any others I saw on the subject, is that FTP transmits passwords in clear
text and thus should be avoided altogether. There are secure versions of FTP however. For real bugs with the AiCloud feature of Asus routers see
the bug reports from Kyle Lovett back in June 2013 and July 2013 and an ArsTechnica follow-up in Feb. 2014.