back to article Feds spank Asus with 20-year audit probe for router security blunder

Asus has settled its case with the US Federal Trade Commission (FTC) after hackers pwned nearly 13,000 home routers via an unpatched security flaw. The case arose in February 2014, when miscreants used an easily exploitable flaw in Asus's home router line to take control of 12,900 systems in the US. An investigation by the FTC …

  1. linicks

    Ummm. I use an ASUS router, the RT-N66U - AKA the black knight. Best ADSL router I have ever owned - never drops, never goes MS 365 and just works.

    I use Merlin's firmware though. BUT the first thing you (or anybody should do) is change the default user name/password, make sure the WAN is not open to the Internet, and if you are paranoid, set up a DMZ to 0.0.0.0 to forward all requests to that (unless you have other things to do with it).

    OK, the software that comes with these routers is pretty crap sometimes, but I would say a lot of the time it the end user at fault.

    I mean, for a new router, you have to have default admin/password to allow the user to get going...

    1. linicks

      So saying something sensible I get marked down.

      OK, don't change the password.

    2. Steve---d

      > Ummm. I use an ASUS router, the RT-N66U - AKA the black knight. Best ADSL router I have ever owned - never drops, never goes MS 365 and just works.

      What does this have to do with security? And I don't understand the MS 365 ref..

      > I use Merlin's firmware though. BUT the first thing you (or anybody should do) is change the default user name/password, make sure the WAN is not open to the Internet, and if you are paranoid, set up a DMZ to 0.0.0.0 to forward all requests to that (unless you have other things to do with it).

      The average user shouldn't have to do any of these things. Especially change to a 3rd party firmware. If the web UI or any other service is available over the WAN interface, the firmware is already shit. A strong wifi security configuration should be configured out-of-the-box, with the randomized SSID and password printed on the packaging, along with randomized admin ui creds. Changing default passwords on any device is common sense, but the vast majority of people with internet access are far from being technophiles.

      > OK, the software that comes with these routers is pretty crap sometimes, but I would say a lot of the time it the end user at fault.

      > I mean, for a new router, you have to have default admin/password to allow the user to get going...

      You just contradicted yourself, is it the users fault, or the crap firmware that has non-randomized default credentials?

      I seriously hope your handle isn't a spin on Linux... or at least that it's not your profession.

      1. redpawn Silver badge
        Meh

        Free Markets

        The free market would have fixed this, just like it fixed the adulterated food problem and the polluted water problem. People always look out for their own best interests, do lots of research and put their dollars where efficiency is maximized. This is why regulators are not needed. Think what we would have for consumer equipment if the burdens of regulation could be lifted and pure free markets could be implemented. It would be awesome. There would be no need for third party router software as the market would have already fixed the problem and optimized products.

        Sorry if your router hasn't protected your equipment. You should have done more research. Given time Asus will go out of business and the problem will be solved free market style.

        1. Nigel 11

          Re: Free Markets

          Given time Asus will go out of business and the problem will be solved free market style

          I can't help thinking that "free market" is about as far removed from this case as one could imagine. Could it have happened to Netgear (who have also shipped some incredibly insecure crap)? Hint. Netgear is a US company. Asus is not.

          Personally I think there s no hope until routers go fully open and run Linux (for example, OpenWRT) so that security updates happen in a timely manner and keeping one's router up to date does not depend on any hardware manufacturer continuing to actively support hardware which it no longer sells and which it would much rather you replaced with newer hardware. Sadly, at present I do not think there is a single router on the market with an ADSL port that has an open source driver available.

          1. dotdavid

            Re: Free Markets

            "Personally I think there s no hope until routers go fully open and run Linux (for example, OpenWRT) so that security updates happen in a timely manner"

            Not knocking OpenWRT or its controversial cousin DD-WRT (which I use myself) but AFAIK you don't get automatic security updates even with these firmwares, and the average user won't want to nor should need to install a third party firmware and more importantly keep it updated to remain safe.

            1. Nigel 11

              Re: Free Markets

              You don't get automatic security updates because with a router they are likely to require you to reboot or at the very least to drop existing connections. So you are likely to want to schedule the update yourself. Or you can install your own automation. The market at present is Linux-capable enthusiasts and maybe a few businesses.

              If they ever start selling a router with an OpenWRT derivative (or similar) to the general computer-using public, they might decide it's better to ship the thing with an auto-updater that installs security-critical updates immediately, and others overnight around 4am. The few for whom these defaults were wrong would be able to change them -- or indeed, to load some other open router distribution altogether.

          2. Roland6 Silver badge

            Re: Free Markets

            Hint. Netgear is a US company. Asus is not.

            This is getting to be a habit, namely naming and shaming a foreign HQ'd company. I suspect that the US has discovered a new style of protectionism that enables it get around all those pesky trade agreements without anyone being able to call foul...

        2. Allan George Dyer Silver badge
          Paris Hilton

          Re: Free Markets

          @redpawn - That "whoosh" sound is your sarcasm passing over the heads of the downvoters.

          That was sarcasm, wasn't it... now I'm not so sure.

          1. Triggerfish

            Re: Free Markets @Allan George Dyer

            I guessed it was sarcasm, but was so confused by Poes law on that one I voted neither way.

      2. Triggerfish

        @Steve_d

        Thats a bit harsh Steve, I thought all that information was highly useful. I'll send it to my mum (by letter not email she is still figuring that out) she should have no problem doing all that being a typical end user.

      3. linicks

        > And I don't understand the MS 365 ref..

        Sorry, a bit late. It doesn't go off line (AWOL) like MS office 365 does every few months or so - it just *works*.

    3. Martin Summers Silver badge

      What's wrong should be quite obvious. You are not using the router as boxed and shipped out by your own admission. So it is technically not an Asus router anymore, the Asus firmware on Asus routers was at fault here.

      1. Down not across Silver badge

        AsusWRT-Merlin

        So it is technically not an Asus router anymore, the Asus firmware on Asus routers was at fault here.

        AsusWRT-Merlin is actually based on the Asus code, but with few tweaks/fixes and additional features.

        Having said that, technically you are correct (even if majority of the code is same as shipped by Asus including default admin username/password).

    4. frank ly Silver badge

      "I mean, for a new router, you have to have default admin/password to allow the user to get going..."

      The (newish) Virgin Media router is supplied with a sticker on the base that tells you the password is "changeme", so this is a step in the right direction.

    5. Nigel 11

      I mean, for a new router, you have to have default admin/password to allow the user to get going...

      Rubbish. You install a random default password and print that on a label stuck to the bottom of the router (personally I think the top would be better, and also a duplicate label stuck to the setup guide).

  2. Brewster's Angle Grinder Silver badge

    Hooray! Finally, a regulator gets round to interfering in the free market.

    1. Vector

      Sorry, but in this case, at least from what I can see in the article, the "interference" should be welcomed. It's about time to hold manufacturers' feet to the fire on security since the average user isn't going to be sophisticated enough to properly secure something like a router on their own and that failure could lead to a world of hurt. And since virtually everyone in the first world has one these days, that's a lot of hurt to spread around.

      1. Androgynous Cupboard Silver badge

        > The free market would have fixed this

        There is one, and it didn't.

        1. dotdavid

          > > The free market would have fixed this

          > There is one, and it didn't.

          Speaking as a capitalist running dog, internet of things security, like automobile safety standards, seem to be winding up as a thing that the free market cannot adequately handle mainly because the average purchaser lacks the expertise to even know that it's a problem. We don't have to be mechanics to have a safe car; we shouldn't have to be networking engineers to have a safe router. I don't see a problem having regulators impose standards in these sorts of situations.

      2. Brewster's Angle Grinder Silver badge

        "Sorry, but in this case, at least from what I can see in the article, the "interference" should be welcomed."

        There's no need to apologise as that was my point.

        But I did shade it with the recognition that the tide of bureaucracy is advancing towards my job. It made me feel like a turkey celebrating the increase in personal space due to the disappearance of some my neighbours.

    2. phuzz Silver badge
      WTF?

      Where did the idea that a completely unregulated free market is the best solution for all situations come from?

      Many situations sure, but all? Certainly not, as this case shows.

  3. Jack of Shadows Silver badge

    How about Comcast next?

    I have a list, I'm checking it twice...

  4. dajames Silver badge

    Harsh but fair ...

    Asus's are among the better routers that aren't designed by a company that specializes in network hardware. There are plenty of others who deserve a similar penalty, it's just that their crap hasn't been exploited yet.

    1. razorfishsl

      Re: Harsh but fair ...

      Yes for the really 'good' stuff you need TP-Link

    2. Down not across Silver badge

      Re: Harsh but fair ...

      Yes they're fairly decent considering they're from non-network kit vendor (especially ones that are supported by Merlin). Quite reliable and have decent performance. To get similar features and performance from another vendor would probably cost fair bit more.

  5. razorfishsl

    Just to be clear,

    Their "UPGRADE" servers STILL do not work, even for the other product lines.

    firmware is available for months, but the "upgrade" check just ays you already have hte latest firmware.

    1. Anonymous Coward
      Anonymous Coward

      > Their "UPGRADE" servers STILL do not work, even for the other product lines.

      Let the FTC know, so ASUS can get their first $16,500 fine. Might make then start fixing things finally.

    2. Oengus Silver badge
      FAIL

      Catch 22

      Let me guess what ASUS's response will be... You have to apply a Firmware upgrade to get the "Upgrade Check" option to work...

      1. dnlongen

        Re: Catch 22

        Actually, no - the firmware update issue is on their end. The router downloads a file from ASUS servers that specifies the latest available version for every supported router model; ASUS has not done well at keeping this list up to date.

        I documented the firmware upgrade process and the source of the flaw in great detail about 2 years ago, at http://www.securityforrealpeople.com/2014/02/breaking-down-asus-router-bug.html (this is the report mentioned in paragraph 28 of the FTC complaint).

  6. Tromos

    What a waste of time

    "Another researcher found the default login credentials on every router set the username and password to "admin," which is the first thing an attacker would try."

    It took a second researcher to find this??? Next time ask an attacker as they seem to get straight to it!

    1. Notas Badoff
      Megaphone

      Re: What a waste of time

      From memory, there is a defined percentage of judgements/fines from financial and tax crimes that is paid to whistleblowers .

      Simply start making fines a decent multiple of coffee budgets, give the hackers researchers 10%+ and that will make security happen by incentivizing probes research. And the required follow-on tracking against continued non-compliance will then be provided free to the regulators at the same commission rate!

      This is golden: consumers win trustworthy equipment, governments get most of the fines, and basement bounty hunters get enough money to move into their own pads!

      OTOH: Free market advocates gnashing teeth: companies might actually forgo the revenue stream from making products they are unqualified to produce. Hmmm ... Naah, that's a benefit to everyone else!

  7. aj69

    That's one way to "service" the customer.

  8. JassMan Silver badge
    Trollface

    Oh the great US police and judicial systems!

    Asus allow the FBI to look inside a router without a court order (OK the bad guys had a good look as well) and they fine Asus and force them to have in-house auditing. Apple don't allow the FBI to look inside iPhones and they try to get a court order to allow them to do this. The fact that IF they are successful and win in court, then iPhones will be open to all the bad guys seems to have escaped them. Maybe they need an irony transplant.

  9. Marketing Hack Silver badge
    Black Helicopters

    You see, Asus' problem was...

    That they didn't work let the NSA help design the vulnerability!!

  10. Martin Summers Silver badge

    I would say now is the best time to buy an ASUS router. Why? How many other companies are having full blown security audits of their software punishable by fines for none compliance right now? They could even use that in their marketing ;-)

  11. Anonymous Coward
    Anonymous Coward

    Asus, according to the company website, was named after the greek Mythological Pegasus creature, but dropped the "peg" to show up more prominently in the alphabetical listings.

    Now all they did was drop much of the security to advertise their routers to show up in some searches.

    Those Pegsky hackers with their tools are just a nuisance.

    1. Nigel 11

      Asus, according to the company website, was named after the greek Mythological Pegasus creature, but dropped the "peg" to show up more prominently in the alphabetical listings.

      I think I still prefer the version I have heard, that it once was "asUS" with creative typography to try to hoodwink USA customers into thinking it was a US product. Not quite as blatant as "made in Usa", Usa being a town in Japan which changed its name for commercial advantage.

  12. John Smith 19 Gold badge
    Unhappy

    The *multiple* bugs suggest it's their *development* process that's fu**ed

    Not that their developers can't write OK code.

    No pen testing.

    Badly set up upgrade server.

    This is like a masterclass in how to f**k up IoT

    But to be honest I doubt they are the worst.

  13. Anonymous Coward
    Anonymous Coward

    Internet of Tat...

    .. protected by Internet of Arseholes

  14. CheesyTheClown

    Asus is Asus... it's not Cisco, Aruba, Meru, etc...

    Asus is a cheap home wireless router that you plug in, turn on and you're done. If you're concerned about security, it really just doesn't even matter what brand you use, if you don't properly monitor and configure patches and updates you're screwed.

    These days, the best solution would be a Windows based router with automatic updates turned on. At least then every now and then there's a chance a security patch will come in. So far as I know, Asus isn't doing weekly or monthly updates of their firmwares. They aren't doing daily updates of their firewall rules. They aren't running a security management center or even contracting someone else. They simply sell a wireless router and occasionally offer a feature patch which next to nobody installs.

    There's just no point to this. So far as I know, there's never been any claim by asus to be a secure device. I was pretty sure their selling point was "Any idiot can plug one in".

    1. John Sager

      Re: Asus is Asus... it's not Cisco, Aruba, Meru, etc...

      Hmm. A Windows-based router doesn't fill me with a lot of confidence but I see where you are coming from. However, although Microsoft's security processes are now quite good (though they misuse it regularly for other purposes), it took them a long time and a lot of mis-steps in the past to get there. It's also not cheap for them to manage, but only a small cost now compared with their revenue.

      The same doesn't apply in the router market. One could argue that the fact that the big ISPs bundle a router with the product militates against good router security, as the ISPs demand a 'just good enough' product at a rock-bottom price. So the other manufacturers have to follow the race to the bottom to compete. Of the router mfrs, only the big iron guys like Cisco could support a MS-style security wrap and Cisco aren't really in the consumer market.

      The later BT home hubs seem to have a good customer-based security wrap - a little slide-in card in the back with random Wifi and admin passwords. Let's hope the internal security config is as well thought out.

  15. Nigel 11

    Linux can and does do the job well if you have fiber or cable broadband, and load (say) openWRT into your router box. Unfortunately AFAIK there are no currently marketed routers with ADSL modem ports for which open-source drivers exist. So if you are using ADSL you have to use proprietary router software.

    Perhaps the FTC could be persuaded that this is an anti-competitive conspiracy? Or does the conspiracy include the NSA or the FBI?

  16. x 7

    a lot of this applies to ANY home router, especially "Another researcher found the default login credentials on every router set the username and password to "admin,""

  17. Wade Burchette

    I have the Asus RT-AC66U

    And I discovered that with the Merlin firmware and a SSH program, you can block all of the Windows 10 tracking. Block telemetry at the router level and there is nothing Microsoft can do to unblock it on your computer. If your Asus router supports Merlin and DD-WRT, then this trick can be done. I posted the instructions on my rarely updated blog.

    This all came about because I knew DD-WRT allowed dnsmasq settings. Using dnsmasq, I simply add a line that says address=/bad.website.com/0.0.0.0 to block a website. I was looking to put DD-WRT on my router just for that purpose. Then I accidentally discovered that Merlin firmware lets you add dnsmasq settings. It just a matter of figuring out how to do it using the limited help on the Merlin firmware website.

  18. erikj

    Yikes

    I have had an ASUS router since January, which has been working really well. When I set it up, I tried to be a good tech consumer and clicked the button looking for any firmware updates. It said none were available. I also clicked the "Check Signature" button, which cryptically (no pun intended) returns a worrying message "Signature update completely".

    After reading this article I went to the ASUS web site -- something I should have done on the first day -- and discovered there had been FOUR firmware updates released since the August 2015 date when the out of the box firmware had been released. It's good ASUS is releasing updates (and giving credit to those contributing security fixes). But how hard is it to wire that stupid button to a working updater service?

    FWIW, my previous WiFi router was an all-in-one combined with a cable modem. In the US, that means that ZERO firmware updates can be installed by the end user. Any updates have to be pushed from my cable company. Good luck to anyone relying on that.

  19. crayon

    Not fair to Windows users

    How come the FTC aren't looking out for Windows users? Security problems at MS are orders of magnitude more serious but the FTC are doing diddlysquat.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019