There I was, minding my own business, when I came across this article in ArsTechnica: “Dear Asus router user: You’ve been pwned, thanks to easily exploited flaw”. I read on avidly, because, well, I have an Asus router, an RT-N66U to be precise and the subject of this article.
It seems that some hacker had taken advantage of a security flaw in Asus routers, first described – wait for it – 8 months ago. The report on that flaw is pretty scary security-wise: access to attached external drives – the RT-N66U has the capability to attach two USB external drives that can be made to function as private cloud storage (Asus calls this AiCloud), wide open FTP, ability to use UPnP commands remotely, etc. Then a couple of weeks ago someone posted to pastebin a set of 13,000 IP addresses, at the end of each being an Asus router ready for exploitation. (I’ll note that my IP address is not one of them; I’ll explain why in a moment.) The hacker had merely (!) accessed these router-connected external hard drives, leaving a text file that warned the owners they’d been hacked.
The ArsTechnica article also pointed out that Asus had just published a firmware upgrade for the RT-N66U et al a couple of weeks ago that purportedly fixed these security flaws. Before I did anything else, I patched my router to the latest firmware version, and then continued my investigation.
One of the points here I think is that we’ve become inured to operating system updates. Maybe inured is the wrong word, accustomed perhaps. We know that Microsoft and Apple will regularly release a set of patches to the OS on our PCs and laptops and that there’s a continually-running service that will warn us to the latest ones. It’s easy to just download and make the update once a month and we have a reasonable expectation that, if we don’t do anything bloody stupid in our browsers or email readers, we will be safe from the majority of nasty hacks by doing so. But our routers? The Asus RT-N66U is a great router, but there’s no facility for it to automatically go and check for updates. There’s no way (that I could see) to register with Asus to be emailed if a new firmware update is available. I heard nothing about these flaws, nor the update, until I read this article in ArsTechnica. And I consider myself to be passably au fait with what’s going on in the technical computer world – it’s my day job after all – so who knows what will happen to the regular Joe, the man in the street who has such a router. It’s hard enough to get them to install updates for their OS, how on earth can we get them to update their router.
The web GUI for the RT-N66U has a page for completing firmware updates and has a Check button, so in theory it should be easy enough to make sure you have the latest firmware.
I clicked it, and it went off to check with the Asus site and warned me that there was a later version to install. Install away, I said, which it seemed to do, but after rebooting the firmware seemed stuck at 220.127.116.11.374_979 instead of showing 18.104.22.168.374_4422 as it should have. So I downloaded the latest firmware update from the Asus download page and then used the other part of that panel: I browsed to the unzipped update file I’d downloaded from their site and then clicked Upload. This time the update seemed to “take” and the firmware was properly patched. It wasn’t difficult, certainly, but it’s harder than it should be.
The main point I am making is that routers are assumed to be appliances and that they rarely, if ever, need to be updated. Yet they are connected to the internet – in fact, they are the entry point for an external hacker trying to get onto your home network and into your PCs. Routers have to be rock-solid. They usually use some form of Linux as their OS and, as such, should be able to update themselves by downloading and applying patches automatically (well, all right, perhaps the patch application could be done manually). I shouldn’t have to read – by accident – some news article that says things like “security flaw discovered 8 months ago”, and “list of vulnerable IP addresses”, and “hacked by leaving a text file saying, watch out”, or “patch was published two weeks ago”. Brrr.
One reason my particular IP address wasn’t discovered or I wasn’t hacked is that I have two routers: the DSL modem that CenturyLink insist I use and the Asus.
This is the configuration I have at home with the ActionTec as the entry point, but with the Asus providing all the router capabilities I need. Except this configuration only solves this particular problem. The ActionTec firmware has never been upgraded as far as I can tell, so I can’t wait for some security researcher to find a massive flaw in the modem that the majority of CenturyLink customers use…
(Another possible reason for not being hacked is that I had AiCloud turned off and the FTP port traffic is not passed through by the ActionTec. You know: reduce the area of your attack surface.)
I am now going to set myself a recurring appointment in Outlook to check my Asus firmware every couple of weeks. I will not be caught out again.
Budd, Harold/Garcia, Ruden/Lentz, Daniel - Pulse Pause Repeat
(from Back to Mine (Neil))