Categories: Hacking

Asus router users still vulnerale to remote hacking

Asus routers are still vulnerable to remote hacking after months of the disclosure of the flaw that allows hackers to access to the device-connected drive.

Ars security portal reported that hackers expose eight-month-old weakness in Asus routers by leaving a message on victims’ drives. An Ars reader claimed to have found a strange message browsing the content of his external hard drive, the note was in a text file and advised him that he had been hacked thanks to a critical flaw in the Asus router he used to access the network storage.

“This is an automated message being sent out to everyone effected [sic],” “Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection. You need to protect yourself and learn more by reading the following news article: http://nullfluid.com/asusgate.txt.” states the note in the text file.

The problem is not isolated, many other users have found the message on their machines, the hackers exploited the vulnerability in the Asus routers to have full access to the content of the hard drive.

A few weeks ago on Pastebin were published 13,000 IP addresses of vulnerable Asus routers and a torrent link to more than 10,000 complete or partial lists of files stored on the Asus-connected hard drives.

The flaw affecting the Asus routers was discovered eight months ago, hackers have the “ability to traverse to any external storage plugged in through the USB ports on the back of the router,“. The disconcerting aspect of the discovery is that the researcher Kyle Lovett decided to publicly disclose the vulnerability in Asus routers after privately contacting Asus company and getting a response that the reported behavior “was not an issue.”

Below the list of vulnerable Asus Routers:

RT-AC66R Dual-Band Wireless-AC1750 Gigabit Router
RT-AC66U Dual-Band Wireless-AC1750 Gigabit Router
RT-N66R Dual-Band Wireless-N900 Gigabit Router with 4-Port Ethernet Switch
RT-N66U Dual-Band Wireless-N900 Gigabit Router
RT-AC56U Dual-Band Wireless-AC1200 Gigabit Router
RT-N56R Dual-Band Wireless-AC1200 Gigabit Router
RT-N56U Dual-Band Wireless-AC1200 Gigabit Router
RT-N14U Wireless-N300 Cloud Router
RT-N16 Wireless-N300 Gigabit Router
RT-N16R Wireless-N300 Gigabit Router

I suggest you the reading of the second Kyle Lovett’s post on the subject that includes many details on the flaw.

“Vulnerabilities – Due in large part to an exposed $root share on the NVRAM for Samba service, which was discovered in March of this year by another researcher, on almost all of the above models that have enabled AiCloud service, the end users will find themselves exposed to multiple methods of attack and several dangerous remote exploits. Since authentication can be simply bypassed on the those units running HTTPS WebDav via directory traversal, access to all files which control services on either side of the router are wide open to remote manipulation. All pem and key files are also openly available.”

Asus declared to have fixed the Vulnerabilities in RT-N66U, RT-N66R and RT-N66W Routers, but the attack suffered by the Ars reader demonstrates the existence of still vulnerable Asus routers.

“Needless to say, I am pissed “It was my belief that I had all of these options turned off,” “I definitely have never used AICloud or had it enabled. In fact, the only thing I’ve ever enabled myself is the Samba share. However, the Asus menu is very unclear about what is being shared and with whom. Reported the victim to Ars

I believe the issue is really serious, consider that an attacker could deploy malicious content or illegal files on the victims PC with not negligible legal implications.It’s not a good period for network device manufactures, this morning I published the news on the public disclosure of the exploit to hit Linksys routers and a few weeks ago I reported the large-scale attacks observed in Poland where the Polish Computer Emergency Response Team has documented a series of cyber attacks involved cybercriminals hacking into home routers and changing their DNS settings so they can conduct MITM attacks on online banking connection. According Polish IT security outfit Niebezpiecznik.pl, the attackers probably exploited a flaw in the router firmware ZyNOS router firmware created by ZyXEL Communications and used in many router models from other manufacturers including TP -Link, ZTE, D-Link and AirLive.

Check the setting of your router and carefully update it according instruction provided by manufactures.

Pierluigi Paganini

(Security Affairs – Asus routers, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.