Tough Questions for ASUS

Exploring why their flawed router design decisions has led directly to their current active exploit campaign.

Note: I dislike criticizing specific vendors in my writing; having worked for software vendors in engineering and product management roles for nearly 30 years I deeply empathize with the technology and resource challenges that vendors face. However, this scenario presents such a clear example of security design failures that it warrants calling ASUS out specifically.

The latest system compromise reported over the past few days involves ASUS routers with persistent malware implants. The team at GreyNoise has done an excellent job researching and documenting this campaign, responsibly disclosing this with ASUS before publishing their blog article. 

This exploit takes advantage of design flaws and zero days in certain models of ASUS consumer home routers. GreyNoise states: “Attackers gain access using brute-force login attempts and authentication bypasses, including techniques not assigned CVEs. “

ASUS has released a patch for the authentication bypass vulnerability, but hasn’t made any mention of the brute-force weakness. Their support advisory for this vulnerability states “It is recommended to (1) Disable AiCloud (2) disable any services that can be accessed from the internet, such as remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port triggering, and FTP.” And, “Use different passwords for your wireless network and router-administration page.” (ASUS link)

OK, those are the facts. 

Let’s take a look at some objectively clear and credible guidance about how technology products should be designed, based on the “Secure by Design” guide published by CISA in partnership with 13 other national information security agencies. If you haven’t read this document, please do so! (Just don’t attempt to print it out; its beautiful layout and design makes heavy use of white text on dark backgrounds and is murder on your printer ink consumption).

I won’t attempt to summarize the Secure by Design document here, but I do want to point out several key points, including the necessity for systems to have secure default settings, to support basic security features such as MFA, and to alert users if their configuration fails to meet security standards.

Given this, let’s pose our tough questions to ASUS:

? Why would you allow your router to even be configured with the same password for wireless network access and the router administration page?

Given that this is a recommended best practice, it should be enforced by your software.

? Why does your router permit repeated remote authentication attempts, thereby opening the door to the brute force attack method utilized in this scenario? 

Best practices and common sense require that you impose limits, with increasing timeouts. To be fair, after some limited testing we do see that the ASUS admin login screen *does* appear to impose a CAPTCHA style challenge after several failed login attempts. Of course, CAPTCHAs are imperfect, and should not be relied upon. The GreyNoise blog doesn’t provide details on to what degree the brute force attacks were successful compared to the authentication bypass / zero day methods. This leads us to the most important question: 

? Why does your router allow for remote administrative access across the internet?

Your documentation is unclear as to whether this is allowed by default, but I suspect that it is, given that few home users typically change default settings. A quick search using internet scanning search provider Censys finds 720,000 ASUS system login pages publicly exposed. Allowing remote admin access at all is a huge risk factor, and should 

1. Be disabled by default, and 
2. Be protected by additional security measures, such as MFA or a network hiding mechanism 

We believe that a) is not the case, and regarding b) the ASUS manual makes no mention of MFA, so it’s clearly not supported.

Enabling remote access to your admin panel login page is an egregiously bad design decision, and in fact is the root cause of this entire incident. How many of those 720,000 users actually intended for their router’s admin functions to be publicly exposed? Surely it’s miniscule.

The ASUS manual provides zero guidance on this, only providing the most basic description of this setting, stating: “Enable Web Access from WAN: Select Yes to allow devices outside the network to access the wireless router GUI settings. Select No to prevent access.” This is, frankly, useless to the typical home router customer, who likely has a fuzzy understanding of the difference between WAN and LAN, and will probably not even read the manual. 

These are wireless home routers; by definition users will be on the wireless network. In fact, for these users it will be more difficult for them to access the admin GUI over the internet than from the local network. So why enable this by default?

Wrapping up, this is a sad example of either inattention, incompetence, or mistakenly prioritizing “user convenience” over basic security hygiene. Especially with consumer products, vendors have a responsibility to follow the principles of Secure by Design, and to ensure that non-technical users will get a reasonably secure setup by default.

Do some small percentage of users actually need and utilize remote administration for their home routers? Sure. But I posit that this is in the 1% range, and that all those users are entirely capable of making the configuration change to enable this capability.

Vendors need to wake up and rethink their threat models. If your device can be exposed to the internet, you need to recognize that in doing so, you are literally advertising it to every adversary on the planet, and need to quickly and aggressively pivot to a secure by design approach. This is not hard to do — as an industry we have well-proven and sound technology, and reliable processes that you can utilize. 

So, vendors, challenge yourselves to do better. It’s the right thing to do, and you can even use this as a marketing differentiator. If you don’t, well, we’ve seen this movie before, and it’s never fun for anyone involved.