bit-tech.net

Asus responds to AiCloud security criticisms

Asus responds to AiCloud security criticisms

Asus has defended its response to Kyle Lovett's AiCloud vulnerability disclosure, claiming it does its utmost to protect customers.

Asus has responded to claims that its recent-model routers are insecure, following the release of updates to all affected models that closed vulnerabilities in its AiCloud service.

The company's routers were accused of running in an extremely insecure state by security researcher Kyle Lovett, who discovered flaws in the AiCloud service that allowed attackers to gain access to supposedly private files or even execute remote code directly on the router. When a router is the first - and, in many cases, last - line of defence for a home or small office network, that's a serious problem.

Lovett chose to go public with his findings following what he claimed was a lack of urgency on the part of Asus' security team. 'No serious attempt to our knowledge has been made to warn their customers in the meantime, even after multiple requests from several different security professionals,' Lovett wrote earlier this month. 'Nor has Asus posted a disclosure of these serious issues to new potential customers on their AiCloud web adverts, since they still advertise the product as an add-on with these routers as a safe and bug free home cloud solution.'

Days after Lovett released his finding to the BugTraq security mailing list, Asus responded with the release of patches for its most popular router models - a release cycle that has seen all AiCloud-enabled routers now updated with security fixes that solve the flaws highlighted by the researcher.

In doing so, the company has denied ignoring Lovett's claims. 'Actually, we reacted straight after we received this issue, and based on the structure of ASUSWRT [the router's custom Linux-based operating system] we could find and modify all models in just a few days,' Sonam Lama, an Asus field engineer, has told us. 'If we did ignore, no action would have been taken.'

The company also denies leaving its customers in the dark regarding the flaws in AiCloud, as claimed by Lovett. 'We have firmware upgrade notifications on both our iOS and Android [AiCloud] app,' explained Lama. 'For firmware, we have a live update mechanism on all models supporting AiCloud - and for the RT-N56U, we have an upgrade notification on the firmware page to inform our users to upgrade their firmware immediately.'

Lovett has, however, pointed the finger at a larger problem - and one not just related to Asus routers. 'Asus, Linksys, D-Link and Western Digital, among others, have strived for the all-in-one box,' he told us in an email interview following his disclosure. 'You name it, they stuffed it in there. If they are going stuff 20 services into one box, they need to begin to separate the services from accessing the same kernel, unless they re-engineer the basic function and design of the home router.'

Lovett is particularly scathing of Universal Plug 'n Play (UPnP,) a feature of modern networking devices designed to make the sharing of media files simpler. In routers, it is often used by client applications to allow a hole to be poked in the Network Address Translation (NAT) system in order for devices outside the network to communicate directly with an internal device. Sadly, many UPnP implementations are badly secured, Lovett claims, pointing to research he has published and that of other security researchers.

'Until manufacturers can prove that UPnP/DLNA can be made and used safely, in my opinion, there are other options an end user can do to support their need for sharing and media streaming that won't compromise the integrity of their router. UPnP Forum will hate me for saying this, but in my opinion, they should shut it off. By design it is unfit to be access from the WAN.'

It's an issue Asus doesn't directly argue. 'The UPnP protocol is convenient for lots of multimedia play scenarios, however it does have disadvantages,' Lama admitted. 'That's why we have an option in firmware for our customers to enable or disable [UPnP].'

As for Lovett's criticisms - in which he claims a response from Asus only came after he had made the vulnerability public - Asus claims to be working on being a proactive protector of its users too. 'All software developers are seeking for better security, we are not the exception,' explained Lama. 'These steps are the way we do [this]: regularly update firmware, also notify our user to upgrade both in firmware page and apps; options for customers to enable/disable remote administration; options for customers to enable/disable file sharing features; implement HTTPS protocol to all cloud features; implement latest firewall technologies for all our routers; notify the security level of user's router; implement feedback function in apps for customers to feedback security issues immediately.'

As for staying safe, Lama has some simple advice for Asus customers - and, for that matter, anyone with a home network, regardless of hardware vendor: 'Upgrade firmware regularly. Best not to use firmware from unknown providers, only use firmware from manufacturers. Use higher security level of WiFi encryption(WPA2), and also [change] all administration passwords.'

If you use an Asus router, particularly one of the ones highlighted in Lovett's vulnerability disclosure, we'd recommend taking Lama's first piece of advice to heart right now and updating your firmware to receive the AiCloud bugfixes.

4 Comments

Discuss in the forums Reply
faugusztin 30th July 2013, 10:16 Quote
Quote:
we have an upgrade notification on the firmware page to inform our users to upgrade their firmware immediately

To be honest, this doesn't work for me. I had RT-N66U on 3.0.0.4.260 firmware, did press Check to check for newer firmware, says "it's on the latest version". Checking download page, and i see that the current non-beta firmware version is 3.0.0.4.372.1393. So the notification doesn't really work :D.
r3loaded 30th July 2013, 11:18 Quote
Quote:
Originally Posted by faugusztin
To be honest, this doesn't work for me. I had RT-N66U on 3.0.0.4.260 firmware, did press Check to check for newer firmware, says "it's on the latest version". Checking download page, and i see that the current non-beta firmware version is 3.0.0.4.372.1393. So the notification doesn't really work :D.
Exactly the opposite for me, I had an update ready for my RT-AC66U very soon after this story broke. Asus tend to be quite regular with firmware updates, and Merlin's customisations means that I have no need to switch to DD-WRT.
ffjason 30th July 2013, 22:07 Quote
Quote:
Originally Posted by r3loaded
Quote:
Originally Posted by faugusztin
To be honest, this doesn't work for me. I had RT-N66U on 3.0.0.4.260 firmware, did press Check to check for newer firmware, says "it's on the latest version". Checking download page, and i see that the current non-beta firmware version is 3.0.0.4.372.1393. So the notification doesn't really work :D.
Exactly the opposite for me, I had an update ready for my RT-AC66U very soon after this story broke. Asus tend to be quite regular with firmware updates, and Merlin's customisations means that I have no need to switch to DD-WRT.

That would be because ASUS work closely with DD-WRT & OpenWRT to create their firmware from what I hear. In fact the original ASUS router shipped with DD-WRT firmware included ;)
r3loaded 1st August 2013, 09:37 Quote
Ah that would explain a lot! Tbh, I think these open source router firmwares are so good that others should just follow Asus's lead and build off them too.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums