Asus AiCloud routers accused of poor security

Asus AiCloud routers accused of poor security

Asus routers with the AiCloud service have been accused of numerous security failings by researcher Kyle Lovett.

A security research has released details of flaws in Asus' AiCloud service, bundled with selected models of router, which are claimed to allow 'multiple methods of attack and several dangerous remote exploits.'

In a home network, the router is the first - and, oftentimes, the last - line of defence. Unless manually modified, or programmatically modified via the Universal Plug 'n Play (UPnP) protocol, a router using Network Address Translation (NAT) ensures that no internal systems are directly accessible from the internet. The router itself, naturally, is directly accessible - and this is why it is important for manufacturers to ensure they have locked their devices down as much as possible.

Asus, it is claimed, hasn't been careful enough in the development of its personal cloud service AiCloud. According to security researcher Kyle Lovett, all AiCloud enabled firmware versions for Asus' various routers - comprising the RT-AC66R, AT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16 and RT-N16R - have numerous vulnerabilities that can allow for disclosure of supposedly private files or even remote code execution directly on the router in order to compromise the entire network.

Lovett has gone public with his findings, posting to the popular BugTraq mailing list, following what he claims is poor handling of the issue from Asus. 'In June I released a partial disclosure for just the RT-N66U on the issue of directory traversal. I have only heard back from Asus twice on the issue, and I understand they are working on a fix,' writes Lovett. 'However, no serious attempt to our knowledge has been made to warn their customers in the meantime, even after multiple requests from several different security professionals.

'Nor has Asus posted a disclosure of these serious issues to new potential customers on their AiCloud web adverts, since they still advertise the product as an add-on with these routers as a safe and bug free home cloud solution,
' Lovett adds.

The vulnerabilities in the routers, all of which run on a Linux port based on the outdated 2.6 kernel tree, open up the potential for serious security issues. Lovett claims that the problems range from allowing external users unauthenticated read and write access to all files and folders shared via the AiCloud service, access to a clear-text credentials file containing plain-text usernames and passwords with no encryption, the ability to switch on point-to-point tunnelling protocol (PPTP) without user knowledge, and the ability to gain remote SSH access to the router and run any code of the attacker's choosing.

Lovett's recommendations for those affected by the flaw, pending the release of fixed firmware files from Asus, is to disable all UPnP services, all three AiCloud items, disable remote access to the router's settings page, change the default username and password, and if the AiCloud service has been in active use to change the password to that as well.

Asus has not yet responded to a request for comment on Lovett's claims.


Discuss in the forums Reply
proxess 15th July 2013, 11:31 Quote
The only true reason to get some of these is DD-WRT.
PCBuilderSven 15th July 2013, 22:21 Quote
Originally Posted by Article
change the default username nad password

I believe that should be "and", not "nad" :)
Gareth Halfacree 16th July 2013, 07:53 Quote
Originally Posted by PCBuilderSven
I believe that should be "and", not "nad" :)
Fixed - ta!
Bindibadgi 17th July 2013, 03:40 Quote
An update has already been issued already on 16th and our US team should be reaching out to Mr. Lovett to ensure all areas he's identified are fixed. AiCloud is an important step for us so our networking dept. takes its security very seriously.
MoldyOldyGeek 2nd March 2016, 20:17 Quote
Originally Posted by proxess
The only true reason to get some of these is DD-WRT.

That certainly was the main reason for me. My RT-N66U is a very nice router IMO. I noticed they're now selling new for $101. Not a bad deal for a quality, dual band, gigabit, DD-WRT compatible router. (IMHO)
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.

Discuss in the forums