ASUS uses their own Linux distro called ASUSWRT, whenever I've looked at it it's been, well ... interesting from a security perspective, even compared to other WRT OSes.
I did a ton of stuff on the AC series and some of their smaller hardware (like the WL330-NUL which is an awesome little thing but riddled with bugs). The bottom line is that if you have an ASUS, you should expect bugs.
If you're worried about being exploited via your router, making sure you use a dedicated browser to configure a router and have no other web pages open at the time will help against certain classes of bug, as will logging out immediately after you've finished. Making sure that you know what's being forwarded is also useful, as is turning off UPNP.
OpenWRT is a little bit better (but people tend not to update their routers) but has it's flaws for various reasons (mostly in the web interface), as do most of the WRTs. If you're really worried, Mikrotiks tend to be better, and very little beats an OpenBSD firewall.
This always boggles my mind. The hardware on those seems decent enough but the software is almost universally utter dog shit. Why do these companies treat the software (security as well as UX) side so poorly, considering that this is what the enduser sees, is beyond me.
I bought one of those affected routers recently. Since the DD-WRT has slower Wifi performance for that model I considered staying with the stock firmware... for about 30 minutes. When configuring something device names I think I used '-' in a name. The Web UI allowed it and saved it. On refresh the JS was all broken because of that character. No device list for me. Flashed it with DD-WRT, never looked back.
Certainly seems that way. I didn't/don't have any mesh routers so I couldn't tell but I image that the Google router thingy is way better software/security wise (privacy being probably a seperate discussion in this particular case ;). I've also read some good things about Ubiquiti here.
Anyhow I keep wondering how many beatings on the security front do those companies need to take in order to figure out that, at the current landscape, developing a decent, secure and clean firmware/frontend would give them a big big edge over the competition.
- change the default password
- keep the firmware updated
- disable WPS.
- If possible change the port the web interface is running on (don't use port 80 or 443)
- disable the web interface if you are command line savvy.
- disable wifi access to the web interface (require ethernet)
And document these changes in written form taped to the router. Nothing like a factory reset due to a lost password or obfuscated management port change.
Is it time to get a "grown-up" firewall for my home?
I'm currently using a standard Apple Time Machine as a firewall/router, but with all this crap (crap router software/hack attempts/NSA shenanigans) going on, thinking about putting something more serious in front of it (connected to my broadband modem). Yeah.. I realize I'm sounding paranoid.. ;)
- will the OS continue to be supported down the road (assuming that I upgrade regularly)
- is there a team with a significant history of fixing problems quickly?
- can I set it to automatically download the fixes and tell me it's ready?
- if this one breaks, is it relatively easy to get a new one acting the same way?
- can I back it up easily?
- can it execute a full reboot in less than 30 seconds?
(The last requirement means that you can reboot faster than most TCP sessions will time out, and thus users may not even notice the reboot. In turn, that means you will be content to upgrade and reboot when you feel like doing it, rather than waiting for a time convenient to other people.)
That looks like a very nice box, if a bit expensive. I have been quite happy with my Mikrotik hAP AC[1], I run the dev previews so I get firmware updates pretty much weekly (and at least for my home network, none of them have broken anything, yet...)
1: http://a.co/37wiiiM
I'd hope something like that would last years, and even today 100mbit is lower than many network connections. I try to switch to the comcast plan that's the best bang per $, and that's currently 200 mbit at my locale. The ubiquiti seems similar, but has GigE.
Seems expensive and power intensive. For 1/3rd the cost you could get a ubiquiti, runs a fork of vyatta, and supports configuration from the command line or web UI.
Even if you have a Gigabit connection, that's a bit overkill. You could handle a gigabit class connection on a product from Mikrotik or Ubiquiti for half the price or less. Both are rock solid and get regular software updates. The co-founder and former project leader of pfSense works at Ubiquiti now.
If you want to run IDS/IPS, though, youll need something a bit beefier like that linked box.
Routers should run open source software so vulnerabilities can be patched by the community.
Routers manufacturers wants to push the latest hardware for profit. The only reason router manufacturers want to patch security vulnerabilities is negative press articles. Negative press would hurt future sales so its better to patch the current product line. When current product line is no longer sold security patches stops but the use of the device by its users Continues.
This is the reason we need to open source everything.
Looks like anyone using third party firmware (such as https://wiki.openwrt.org/toh/start ) shouldn't be affected by the issues this advisory highlights.
I'd consider it, but I'm generally happy with the Asuswrt-Merlin firmware, and I can't find a resource that describes things like benefit, risks, and functionality I might lose. Is there such a thing?
AFAIK, only the stock and Asuswrt-Merlin firmware builds support Broadcom's proprietary acceleration (ctf.ko). On my RT-N66U, WAN throughput can hit 870 Mbps. Without it, I max out around 170 Mbps.
If there's a way to run OpenWRT / LEDE and get gigabit speeds out of a router, someone please let me know. :)
See LEDE website, they have some generic introductory propaganda and per-device specifics. TD;DR: customizable Linux distribution with package manager, tons of features and ongoing support. In my experience less bugs than vendor firmwares, but I always took care to buy hardware known to work well with it.
This is one thing that pisses me off, more about the FCC who requested the routers be fully locked down... I used to buy all ASUS as before the change it was very easy to get third party (Tomato) firmware on them that was updated more regularly.
The 4G-AC55U router is also vulnerable but did not receive a security firmware update (last firmware release was a year ago on 2016-05-20) and is not listed on the page.
If you happen to be running this device you may want to apply precautionary measures.
Why don't routers simply host their admin panels on a separate and secured wireless network that is blocked from the internet? Although it sounds impractical, it would render so many of these CSRF/XSS exploits useless.
because then the vast majority of users wouldn't know how to use it.
even if you include instructions you'll have a huge proportion of users who will either return the device because they couldn't figure it out, or call your support line and make your support overhead skyrocket
This is probably quite accurate. I doubt more than 20% of the population even KNOWS that their router has a "configuration screen", much less how to access it.
The biggest practical security upgrade for most users was when they started randomizing SSIDs/passwords and printing them on stickers on the back of the router.
That is certainly a legitimate concern. Perhaps disable the internet connection to the client that is operating the admin panel. Pretty impractical and would not work well for malicious JavaScript in memory.
And REALLY screw up my virtual network switch for VMs... man, recently changed routers, and getting it to see the new router, so I could change the network to match my old router was painful enough... Wouldn't want to have to do that every time I make a configuration change.
I did a ton of stuff on the AC series and some of their smaller hardware (like the WL330-NUL which is an awesome little thing but riddled with bugs). The bottom line is that if you have an ASUS, you should expect bugs.
If you're worried about being exploited via your router, making sure you use a dedicated browser to configure a router and have no other web pages open at the time will help against certain classes of bug, as will logging out immediately after you've finished. Making sure that you know what's being forwarded is also useful, as is turning off UPNP.
OpenWRT is a little bit better (but people tend not to update their routers) but has it's flaws for various reasons (mostly in the web interface), as do most of the WRTs. If you're really worried, Mikrotiks tend to be better, and very little beats an OpenBSD firewall.