Dear Asus router user: You've been pwned, thanks to easily exploited flaw
Hackers expose eight-month-old Asus weakness by leaving note on victims' drives.
An Ars reader by the name of Jerry got a nasty surprise as he was browsing the contents of his external hard drive over the weekend—a mysterious text file warning him that he had been hacked thanks to a critical vulnerability in the Asus router he used to access the drive from various locations on his local network.
"This is an automated message being sent out to everyone effected [sic]," the message, uploaded to his device without any login credentials, read. "Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection. You need to protect yourself and learn more by reading the following news article: http://nullfluid.com/asusgate.txt."
It's likely that Jerry wasn't the only person to find the alarming message had been uploaded to a hard drive presumed to be off-limits to outsiders. Two weeks ago, a group posted almost 13,000 IP addresses its members said hosted similarly vulnerable Asus routers. They also published a torrent link containing more than 10,000 complete or partial lists of files stored on the Asus-connected hard drives.
The guerilla-style hacking disclosure comes eight months after a security researcher publicly disclosed the underlying vulnerability that exposed the hard drives of Jerry and so many other Asus router users. The June 22 report found the "ability to traverse to any external storage plugged in through the USB ports on the back of the router," but researcher Kyle Lovett said he went public only after privately contacting Asus representatives two weeks earlier and getting a response that the reported behavior "was not an issue." In July, Lovett published a second disclosure that offered additional technical details.
"The vulnerability is that on many, if not on almost all N66U units that have enabled https Web service access via the AiCloud feature, [they] are vulnerable to un-authenticated directory traversal and full sensitive file disclosure," Lovett wrote in his earlier dispatch. "Any of the AiCloud options 'Cloud Disk,' 'Smart Access,' and 'Smart Sync' (need another verification on this one) appear to enable this vulnerability."
According to Lovett, the weakness affects a variety of Asus router models, including the RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, and RT-N16R. Asus reportedly patched the vulnerabilities late last week, but as Jerry's experience demonstrates, it has yet to be installed on some vulnerable routers.
"Needless to say, I am pissed," he wrote in a message to Ars. He went on to say that he thought his device was secure because he hadn't enabled any services that explicitly made hard drive contents available over the Internet. "It was my belief that I had all of these options turned off," he said. "I definitely have never used AICloud or had it enabled. In fact, the only thing I've ever enabled myself is the Samba share. However, the Asus menu is very unclear about what is being shared and with whom."
He's not the only one to face the rude discovery that contents of his Asus-attached hard drive have been available to anyone with some rudimentary knowledge and a standard Internet connection. Earlier this month, a Harvard Law School blogger was shocked to find that he was also caught with his digital pants down after hooking a "giant USB drive" to his RT model Asus router.
"Out of curiosity, I entered 'ftp://[my external ip address]' into my browser and sat wide eyed when I saw the contents of my media server show up," the blogger wrote. "I reasoned it must be because I'm already inside the network (which doesn't even make sense really), but panic was starting to set in. So I pulled out my phone and turned off the Wi-Fi connection and tried it there. Now I was worried."
The exploits against the Asus router coincide with the discovery of a round of attacks that infect Linksys routers with self-replicating malware. The Linksys exploits don't expose any user data, and infected machines can be restored to their normal state by being rebooted. The in-the-wild exploits against both Asus and Linksys devices come two weeks after researchers in Poland reported an ongoing attack that stole online banking credentials in part by modifying home routers' DNS settings.Taken together, the attacks are a sign that routers and other Internet-connected devices are being subject to the same in-the-wild attacks that have plagued PCs—and in some cases Macs—for years. Readers are advised to lock down their routers by installing any available firmware updates, changing any default passwords, and ensuring that remote administration, Cloud, and FTP options are set to off if they're not needed.
Promoted Comments
-
Ars Praefectus Heh, reminds me of what my friends and I used to do when the whole Back Orifice thing was going around -- we used to troll the 'net for any infected computers with BO running on them, go in and drop a text file on the users Desktop stating pretty much the same thing as what these guys are doing. "You're infected, your computer is wide open, here's how to fix it." -
Smack-Fu Master, in training %&^*ing hell. I got hit apparently. I thought I had disabled all of that crap to begin with. You know, if you're going to sell a router at $230 retail (price when I bought it), you'd better secure the f-ing thing pretty well. I expect to get what I pay for, and that much money for a consumer router had better get me some decently designed firmware with decent security in place. Who the hell puts in place an FTP server as a default thing turned on, on a consumer router?
Admittedly, I should probably be updating my firmware a bit more frequently, but c'mon. -
Smack-Fu Master, in traininget Subscriptor Quanticles wrote:Just to clarify - this vulnerability is only for drives connected via USB to the ASUS router itself?
So a computer on the network isn't going to be compromised by this? I don't have any USB drives.
Actually, I don't think this article mentioned it, but they also leaked the password for AiCloud for some of the IP addresses. So if you were using AI Cloud (SMB tunnel essentially, or windows file share) you are screwed. I actually got hit by this bug. Some dude emailed me telling me that he could see all my stuff. I'm thankful he did, but he somehow got my work email address which is a bit worrisome. Nothing you can really do about it though. What's done is done.
Luckily I didn't really keep anything important there. I was using windows file history so it was just copying stuff from my desktop to this backup; and I don't really store anything important in any of the folders windows file history covers by default.
I think they introduced this in a newer firmware, I could have sworn I port scanned myself to check for stealth and nothing came back. I since have factory reset the router. That setting is enabled by DEFAULT. Absolutely crazy. I was a huge Asus fan, I'm not sure how I feel about them anymore.
Không có nhận xét nào:
Đăng nhận xét