"Asusgate" and How I Somehow Avoided It 2014/08/12 by Ami Sapphire This is not too obvious, but this is a late-night rushed text file entry from me. Was going to write something like this ~2 weeks ago, but didn't bother until now. From even the ancient BEFSRx1 v1 and v2 Gozila security exploit (never patched, last firmware exploitable) to D-Link/Asus/Linksys/etc. router exploits (my WRT54Gv8, WRT150N, and D-Link DIR-655 were involved!), I notice that such firmware can be very flawed. But this... THIS was so simple... and stupid. Also, eight months for an FTP 'patch'. However, it also should be another lesson with routers (and other Internet- facing hardware/software especially): Attempt to lock them down as tight as you can, including changing default passwords (seriously, I don't want to see routers using default admin/password combos... D-Link DIR-655 has NO password set by default!!), disabling remote administration, disabling telnet and NOT forwarding port 23 (depending on the router), etc. I only noticed this when I was looking around the router settings for the very first time. -- Security Warnings Go Unheeded Back in June 22, 2013, the first public disclosure was posted by Kyle Lovett, a security researcher. This was a partial disclosure. http://www.securityfocus.com/archive/1/526942 Later in July 14, 2013 (was reposted on July 15, 2013), a second public disclosure was posted by Kyle Lovett due to Asus' response (read: not much), which he felt was unacceptable. Interestingly, it was still practilcally silent, as the responses there are to himself... http://www.securityfocus.com/archive/1/527275 http://seclists.org/bugtraq/2013/Jul/87 -- Winter: Joy During the Storm On December 11, 2013, I carefully researched which router the family needed to replace the heavily abused D-Link DIR-655 RevA2 router + DIR-655 RevB1 router- as-wireless hub setup. At the time, we had AT&T DSL HSI (High-Speed Internet) service. Noticed some ASUS RT series routers: N16, N56U, N66U, AC66U, AC68U... yet somehow I didn't pick the AC ones. Ultimately, the RT-N66U was chosen. Bought that router with Bitcoin converted to Amazon gift cards; around $125. Then, on December 13, 2013, I received the ASUS RT-N66U via UPS. It was a hardware revision B1 RT-N66U! Woot! Anyway, knowing me, I would nowadays browse through the router navigation before I set it up fully for Internet use, learning from the D-Link RevB setup 'fiasco' in 2012. This is also before I flashed it to the October 2013 firmware update, so the shipping firmware version on this router was 3.0.0.4.276. Okay. Upon the USB application section, I noticed that FTP was on BY DEFAULT, ANONYMOUS READ/WRITE PERMISSIONS. My first reaction was 'WTF?' but also, I am already running an FTP server (which was at the time running under Windows XP Home SP3). Immediately turned that off. Thought of the security issues there, especially that FTP is already insecure as it is, due to it originally being a 1970s protocol! Also (to my recollection), AiDisk (and its brother AiCloud) were on by default as well. Turned them off as well. Sharing my personal data over the (obviously public) World Wide Web is not something I would have wanted. That, and I have already lost data in 2003 (almost everything gone from 1998-2002), well before the WWW got even more accessible, so yeah. -- No Internet For a While On February 1, 2014, AT&T shut off the service. It was later found out U-Verse was replacing old DSL service. Mind you, there was still a winter storm (yes, even two months later). They even had trouble trying to set up U-Verse (weak signal). [insert parents about to crack over having no Internet access, and I, the only sane one in the house...] Older sis arrived on February 11, 2014 (IIRC), and the one thing I would never forget: "I'm having Internet withdrawal..." [During all this, IP address ranges were being scanned for vulnerable Asus routers, mainly those responding to port 21. Not sure of mine, will have to look at my FTP server log someday; it is over 100MB in size!] However, we switched to Comcast cable Internet on February 12, 2014, and after some trickery of still getting to use our ASUS RT-N66U router with the shoddy Technicolor TC8305C gateway and having some ports forwarded, I checked to see if there was any newer firmware for the router the next day (the 13th). There was. We were still on the October 2013 firmware, and seeing the list previously, I thought there wasn't going to be any firmware for a while. Then I read the changelog. I facepalmed. One thing I really noticed: security related to FTP. Really...? I wonder why? /s For the record, I told Sis and then my older sis (who was visiting at the time) regarding the security update and flashed the router very ASAP. I had no clue how bad it was until a week later... -- 'Asusgate' Happenings On February 4, 2014, a text file called asusgate.txt circulated the Internet. In it was a few links where you can obtain IP address blocks, and probably some of the peoples' data, just to prove how bad this was. The Feb. 4 post from /g/ already has a few going through the IP list. [A reminder: I had no home Internet access from February 1 to February 12 the entire time.] On February 5, it did make a few rounds on some boards, mainly because /g/ was posting the WARNING_YOU_ARE_VULNERABLE.txt files in affected drives connected directly through the routers. This, however, was not enough. Also, Lunar New Year is celebrated during early February in China and Taiwan, meaning businesses are closed during this holiday. Interesting timing. On February 17, 2014, an ArsTechnica article was published regarding the FTP 'exploit', amongst other things. One had their entire contents of their hard drive wiped and replaced with a text file that screamed extortion. Another (in this case a Harvard law school blogger) had only lost a directory and got the WARNING YOU ARE VULNERABLE text file. My main thought was: "I wonder if 4chan was somehow involved...?" I didn't even bother to 'investigate' until late July 2014 and just read the reader comments. Oh, how right I (mainly) was... -- 4chan /g/ and Curiosity (and possibly Boredom and Amusement) July 2014. Finally found the archived threads regarding the Asus exploit. They were dated February 18, 2014. Warning, these threads are LONG. Users of these routers unwittingly shared mostly personal files over anonymous read/write FTP and AiDisk. 4chan /g/ managed to grab peoples' files, some wiped drives, some added files to peoples' drives, some /g/ members posted warning text files in drives... also, they were browsing through various IPs listed in a pastebin post. This was possibly petabytes of data that was unwittingly shared! They found quite a bit, too: various password lists tax return forms (though old, but remember that SSNs are listed on them!) credit card list with CVV2 and everything (though one list was expired) bank statements (Seriously.) porn collections (4chan /g/ even ran into some they shouldn't ever run into...) personal photos and videos (No surprise that /g/ would possibly grab some of those files...) music collections (one instance a /g/ member deleted one and created a new folder named 'Your music was always shit.') some webcam 'stream'. This one was a bit odd. various pirated shows (some /g/ member deleted some) family photos and kid photos (some /g/ members actually deleted those, unfortunately for them. Probably thought they would unleash those on Facebook or something... This was not always the case, though, /g/!) cryptocoin wallet.dat files (Bitcoin, Litecoin, etc. IIRC, someone did find one!) résumé documents ...amongst others. It was more disturbing overall, but the /g/ comments made it somewhat amusing. From the earlier Internet entries, some /g/ members were warning users about the flaw, but the ArsTechnica article blew that out of the water since, and n00bs especially flooded 4chan /g/ and did some damage. -- To This Point on August 12, 2014 Conclusion point! Somehow, I was fortunate to still have what's left of my data [because of the long gone 1998-2002 data gap], though I feel sorry for those who actually lost data. I now remininsce: if I hadn't locked down the router from the start and if AT&T hadn't cut off out Internet access... what would've happened to our 2x1TB hard drive setup connected to the router with 2003- present data stored on them... Since the update, if you try to enable FTP, you are shown a prompt asking (paraphrased): Are you sure you want to turn on FTP on your hard disks? Previously, you never got this prompt when enabling FTP. I distinctly remember this. I just checked through Google that a few routers are still unpatched (FTP contents shown to the world). Searching for WARNING_YOU_ARE_VULNERABLE.txt reveals a few of them. Scary. It's been six months since the February firmware update. At least turn off FTP entirely: USB application > Servers Center > FTP Share. Enable FTP should be OFF, Allow anonymous login should be OFF. Click Apply. Done. -- Links Predating ArsTechnica Flood PCWorld link (January 9, 2014!!) http://www.pcworld.com/article/2086280/default-settings-leave-external-hard-drives-connected-to-asus-routers-wide-open.html DSLReports.com forum thread (January 10, 2014!!) http://www.dslreports.com/forum/r28946683-Default-settings-ex-HD-to-ASUS-wide-open. 'Asusgate' Original document http://nullfluid.com/asusgate.txt Reddit's /r/netsec post http://www.reddit.com/r/netsec/comments/1wzsne/ouf_ipv4_scan_for_vulnerable_asus_routers/ Blackhatworld.com forum thread http://www.blackhatworld.com/blackhat-seo/blackhat-lounge/647246-turn-off-your-asus-router.html SmallNetBuilder forum thread http://forums.smallnetbuilder.com/showthread.php?t=15272 Harvard Law Blogger's entry http://blogs.law.harvard.edu/zeroday/2014/02/05/so-this-is-what-getting-pwned-is-like/ [H]ard|Forum forum thread http://hardforum.com/showthread.php?t=1805532 slickdeals.net forum thread http://slickdeals.net/f/6705104-using-an-asus-router-your-info-is-not-safe Spiceworks forum thread http://community.spiceworks.com/topic/442881-asus-rt-56u-aicloud-and-ftp-vulnerability - ArsTechnica Flood ArsTechnica article http://arstechnica.com/security/2014/02/dear-asus-router-user-youve-been-pwned-thanks-to-easily-exploited-flaw/ CNet article http://www.cnet.com/news/asus-router-vulnerabilities-go-unfixed-despite-reports/ HackerNews post https://news.ycombinator.com/item?id=7178665 BetaNews article http://betanews.com/2014/02/18/asus-routers-may-be-showing-your-personal-files-to-everyone/ theinquirer.net article http://www.theinquirer.net/inquirer/news/2329578/friendly-hacker-warns-asus-router-users-to-fix-their-security Slashdot post http://it.slashdot.org/story/14/02/18/0218212/dear-asus-router-user-all-your-cloud-are-belong-to-us/informative-comments forums.hardwarezone.com.sg forum thread http://forums.hardwarezone.com.sg/internet-bandwidth-networking-clinic-4/asus-routers-hacked-4580810.html linustechtips.com forum thread http://linustechtips.com/main/topic/116983-asus-router-hack-asus-router-users-read-this/ forums.vr-zone.com forum thread http://forums.vr-zone.com/chit-chatting/3029970-asus-routers-users-beware.html routercheck.com entry http://www.routercheck.com/2014/02/18/asus-bug-exposes-users-files/ MaximumPC article http://www.maximumpc.com/asus_finally_rolls_out_firmware_fix_major_router_vulnerability_2014 UserFriendly forum thread http://ars.userfriendly.org/cartoons/read.cgi?id=20140218&tid=3807023 - Post-ArsTechnica Flood Harvard Law blogger's response to the ArsTechnica article (dated February 23, 2014) https://blogs.law.harvard.edu/zeroday/2014/02/23/puling-my-digital-pants-back-up/ BleepingComputer! thread (dated March 7, 2014! 4chan /g/ struck this one) http://www.bleepingcomputer.com/forums/t/526830/what-is-nsa-inspected-folder/ - 4chan Thread Archives! 4chan /g/ Feb. 4 thread http://archive.rebeccablacktech.com/g/thread/40082705 4chan /g/ Feb. 6 thread [No exploit] http://archive.rebeccablacktech.com/g/thread/40133050 4chan /g/ Feb. 17 thread [No exploit] https://warosu.org/g/thread/40367912 4chan /g/ Feb. 18 Thread 1 http://archive.rebeccablacktech.com/g/thread/40385277 https://warosu.org/g/thread/40385277 4chan /g/ Feb. 18 Thread 2 http://archive.rebeccablacktech.com/g/thread/40392280 https://warosu.org/g/thread/40392280 4chan /g/ Feb. 18 Thread 3 http://archive.rebeccablacktech.com/g/thread/40394460 https://warosu.org/g/thread/40394460 4chan /g/ Mar. 20 thread [apparently joking around] https://fireden.net/4chan/g/40919846 -- Asus Firmware Updates Post-FTP, Samba, and AiCloud/AiDisk flaw (fixed) Firmware RT-N14U [Feb. 13 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N14U/FW_RT_N14U_30043744422.rar RT-N16 [Feb. 12 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N16/FW_RT_N16_30043744422.zip RT-N56U [Feb. 19 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N56U/FW_RT_N56U_30043744422.zip RT-N66U [Feb. 12 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/FW_RT_N66U_30043744422.zip RT-N66R [Feb. 12 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66R/FW_RT_N66R_30043744422.zip RT-N66W [Feb. 12 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66W/FW_RT_N66W_30043744422.zip RT-AC52U [Feb. 21 FW]* http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC52U/FW_RT_AC52U_30043744561.zip RT-AC56U [Feb. 13 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC56U/FW_RT_AC56U_30043744422.zip RT-AC65R [Feb. 13 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC56R/FW_RT_AC56R_30043744422.zip RT-AC66U [Feb. 13 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC66U/FW_RT_AC66U_30043744422.zip RT-AC66R [Feb. 13 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC66R/FW_RT_AC66R_30043744422.zip RT-AC68U [Feb. 13 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC68U/FW_RT_AC68U_30043744422.zip RT-AC68R [Feb. 13 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC68R/FW_RT_AC68R_30043744422.zip Latest Firmware (as of this text document) RT-N14U [Feb. 21 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N14U/FW_RT_N14U_30043744561.zip RT-N16 [Apr. 16 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N16/FW_RT_N16_30043745517.zip RT-N56U [Apr. 24 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N56U/FW_RT_N56U_30043745656.zip RT-N66U [Jun. 27 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/FW_RT_N66U_30043761071.zip RT-N66R [Jun. 27 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66R/FW_RT_N66R_30043761071.zip RT-N66W [Jun. 27 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66W/FW_RT_N66W_30043761071.zip RT-AC52U [Feb. 21 FW]* http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC52U/FW_RT_AC52U_30043744561.zip RT-AC56U [Apr. 24 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC56U/FW_RT_AC56U_30043745656.zip RT-AC56R [Apr. 24 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC56R/FW_RT_AC56R_30043745656.zip RT-AC66U [Jul. 07 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC66U/FW_RT_AC66U_30043761123.zip RT-AC66R [Jul. 07 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC66R/FW_RT_AC66R_30043761123.zip RT-AC68U [Jul. 18 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC68U/FW_RT_AC68U_30043761663.zip RT-AC68R [Jul. 18 FW] http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC68R/FW_RT_AC68R_30043761663.zip