"Asusgate" and How I Somehow Avoided It     2014/08/12
by Ami Sapphire


This is not too obvious, but this is a late-night rushed text file entry from
me. Was going to write something like this ~2 weeks ago, but didn't bother
until now. From even the ancient BEFSRx1 v1 and v2 Gozila security exploit
(never patched, last firmware exploitable) to D-Link/Asus/Linksys/etc. router
exploits (my WRT54Gv8, WRT150N, and D-Link DIR-655 were involved!), I notice
that such firmware can be very flawed. But this... THIS was so simple... and
stupid. Also, eight months for an FTP 'patch'.

However, it also should be another lesson with routers (and other Internet-
facing hardware/software especially): Attempt to lock them down as tight as you
can, including changing default passwords (seriously, I don't want to see
routers using default admin/password combos... D-Link DIR-655 has NO password
set by default!!), disabling remote administration, disabling telnet and NOT
forwarding port 23 (depending on the router), etc. I only noticed this when I
was looking around the router settings for the very first time.

--

Security Warnings Go Unheeded

Back in June 22, 2013, the first public disclosure was posted by Kyle Lovett, a
security researcher. This was a partial disclosure.
http://www.securityfocus.com/archive/1/526942

Later in July 14, 2013 (was reposted on July 15, 2013), a second public
disclosure was posted by Kyle Lovett due to Asus' response (read: not much),
which he felt was unacceptable. Interestingly, it was still practilcally
silent, as the responses there are to himself...
http://www.securityfocus.com/archive/1/527275
http://seclists.org/bugtraq/2013/Jul/87

--

Winter: Joy During the Storm

On December 11, 2013, I carefully researched which router the family needed to
replace the heavily abused D-Link DIR-655 RevA2 router + DIR-655 RevB1 router-
as-wireless hub setup. At the time, we had AT&T DSL HSI (High-Speed Internet)
service. Noticed some ASUS RT series routers: N16, N56U, N66U, AC66U, AC68U...
yet somehow I didn't pick the AC ones. Ultimately, the RT-N66U was chosen.
Bought that router with Bitcoin converted to Amazon gift cards; around $125.

Then, on December 13, 2013, I received the ASUS RT-N66U via UPS. It was a
hardware revision B1 RT-N66U! Woot! Anyway, knowing me, I would nowadays browse
through the router navigation before I set it up fully for Internet use,
learning from the D-Link RevB setup 'fiasco' in 2012. This is also before I
flashed it to the October 2013 firmware update, so the shipping firmware
version on this router was 3.0.0.4.276. Okay.

Upon the USB application section, I noticed that FTP was on BY DEFAULT,
ANONYMOUS READ/WRITE PERMISSIONS. My first reaction was 'WTF?' but also, I am
already running an FTP server (which was at the time running under Windows XP
Home SP3). Immediately turned that off. Thought of the security issues there,
especially that FTP is already insecure as it is, due to it originally being a
1970s protocol! Also (to my recollection), AiDisk (and its brother AiCloud)
were on by default as well. Turned them off as well. Sharing my personal data
over the (obviously public) World Wide Web is not something I would have
wanted. That, and I have already lost data in 2003 (almost everything gone from
1998-2002), well before the WWW got even more accessible, so yeah.

--

No Internet For a While

On February 1, 2014, AT&T shut off the service. It was later found out U-Verse
was replacing old DSL service. Mind you, there was still a winter storm (yes,
even two months later). They even had trouble trying to set up U-Verse (weak
signal). [insert parents about to crack over having no Internet access, and I,
the only sane one in the house...] Older sis arrived on February 11, 2014
(IIRC), and the one thing I would never forget: "I'm having Internet
withdrawal..." [During all this, IP address ranges were being scanned for
vulnerable Asus routers, mainly those responding to port 21. Not sure of mine,
will have to look at my FTP server log someday; it is over 100MB in size!]

However, we switched to Comcast cable Internet on February 12, 2014, and after
some trickery of still getting to use our ASUS RT-N66U router with the shoddy
Technicolor TC8305C gateway and having some ports forwarded, I checked to see
if there was any newer firmware for the router the next day (the 13th). There
was. We were still on the October 2013 firmware, and seeing the list
previously, I thought there wasn't going to be any firmware for a while. Then
I read the changelog. I facepalmed. One thing I really noticed: security
related to FTP. Really...? I wonder why? /s

For the record, I told Sis and then my older sis (who was visiting at the time)
regarding the security update and flashed the router very ASAP. I had no clue
how bad it was until a week later...

--

'Asusgate' Happenings

On February 4, 2014, a text file called asusgate.txt circulated the Internet.
In it was a few links where you can obtain IP address blocks, and probably some
of the peoples' data, just to prove how bad this was. The Feb. 4 post from /g/
already has a few going through the IP list. [A reminder: I had no home
Internet access from February 1 to February 12 the entire time.]

On February 5, it did make a few rounds on some boards, mainly because /g/ was
posting the WARNING_YOU_ARE_VULNERABLE.txt files in affected drives connected
directly through the routers. This, however, was not enough. Also, Lunar New
Year is celebrated during early February in China and Taiwan, meaning
businesses are closed during this holiday. Interesting timing.

On February 17, 2014, an ArsTechnica article was published regarding the FTP
'exploit', amongst other things. One had their entire contents of their hard
drive wiped and replaced with a text file that screamed extortion. Another (in
this case a Harvard law school blogger) had only lost a directory and got the
WARNING YOU ARE VULNERABLE text file. My main thought was: "I wonder if 4chan
was somehow involved...?" I didn't even bother to 'investigate' until late July
2014 and just read the reader comments. Oh, how right I (mainly) was...

--

4chan /g/ and Curiosity (and possibly Boredom and Amusement)

July 2014. Finally found the archived threads regarding the Asus exploit. They
were dated February 18, 2014. Warning, these threads are LONG. Users of these
routers unwittingly shared mostly personal files over anonymous read/write FTP
and AiDisk. 4chan /g/ managed to grab peoples' files, some wiped drives, some
added files to peoples' drives, some /g/ members posted warning text files in
drives... also, they were browsing through various IPs listed in a pastebin
post. This was possibly petabytes of data that was unwittingly shared! They
found quite a bit, too:

various password lists
tax return forms (though old, but remember that SSNs are listed on them!)
credit card list with CVV2 and everything (though one list was expired)
bank statements (Seriously.)
porn collections (4chan /g/ even ran into some they shouldn't ever run into...)
personal photos and videos (No surprise that /g/ would possibly grab some of
  those files...)
music collections (one instance a /g/ member deleted one and created a new
  folder named 'Your music was always shit.')
some webcam 'stream'. This one was a bit odd.
various pirated shows (some /g/ member deleted some)
family photos and kid photos (some /g/ members actually deleted those,
  unfortunately for them. Probably thought they would unleash those on Facebook
  or something... This was not always the case, though, /g/!)
cryptocoin wallet.dat files (Bitcoin, Litecoin, etc. IIRC, someone did find
  one!)
résumé documents

...amongst others. It was more disturbing overall, but the /g/ comments made it
somewhat amusing.

From the earlier Internet entries, some /g/ members were warning users about the
flaw, but the ArsTechnica article blew that out of the water since, and n00bs
especially flooded 4chan /g/ and did some damage.

--

To This Point on August 12, 2014

Conclusion point! Somehow, I was fortunate to still have what's left of my data
[because of the long gone 1998-2002 data gap], though I feel sorry for those
who actually lost data. I now remininsce: if I hadn't locked down the router
from the start and if AT&T hadn't cut off out Internet access... what would've
happened to our 2x1TB hard drive setup connected to the router with 2003-
present data stored on them...

Since the update, if you try to enable FTP, you are shown a prompt asking
(paraphrased): Are you sure you want to turn on FTP on your hard disks?
Previously, you never got this prompt when enabling FTP. I distinctly remember
this.

I just checked through Google that a few routers are still unpatched (FTP
contents shown to the world). Searching for WARNING_YOU_ARE_VULNERABLE.txt
reveals a few of them. Scary. It's been six months since the February firmware
update. At least turn off FTP entirely: USB application > Servers Center > FTP
Share. Enable FTP should be OFF, Allow anonymous login should be OFF. Click
Apply. Done.

--

Links


Predating ArsTechnica Flood

PCWorld link (January 9, 2014!!)
http://www.pcworld.com/article/2086280/default-settings-leave-external-hard-drives-connected-to-asus-routers-wide-open.html

DSLReports.com forum thread (January 10, 2014!!)
http://www.dslreports.com/forum/r28946683-Default-settings-ex-HD-to-ASUS-wide-open.

'Asusgate' Original document
http://nullfluid.com/asusgate.txt

Reddit's /r/netsec post
http://www.reddit.com/r/netsec/comments/1wzsne/ouf_ipv4_scan_for_vulnerable_asus_routers/

Blackhatworld.com forum thread
http://www.blackhatworld.com/blackhat-seo/blackhat-lounge/647246-turn-off-your-asus-router.html

SmallNetBuilder forum thread
http://forums.smallnetbuilder.com/showthread.php?t=15272

Harvard Law Blogger's entry
http://blogs.law.harvard.edu/zeroday/2014/02/05/so-this-is-what-getting-pwned-is-like/

[H]ard|Forum forum thread
http://hardforum.com/showthread.php?t=1805532

slickdeals.net forum thread
http://slickdeals.net/f/6705104-using-an-asus-router-your-info-is-not-safe

Spiceworks forum thread
http://community.spiceworks.com/topic/442881-asus-rt-56u-aicloud-and-ftp-vulnerability

-

ArsTechnica Flood

ArsTechnica article
http://arstechnica.com/security/2014/02/dear-asus-router-user-youve-been-pwned-thanks-to-easily-exploited-flaw/

CNet article
http://www.cnet.com/news/asus-router-vulnerabilities-go-unfixed-despite-reports/

HackerNews post
https://news.ycombinator.com/item?id=7178665

BetaNews article
http://betanews.com/2014/02/18/asus-routers-may-be-showing-your-personal-files-to-everyone/

theinquirer.net article
http://www.theinquirer.net/inquirer/news/2329578/friendly-hacker-warns-asus-router-users-to-fix-their-security

Slashdot post
http://it.slashdot.org/story/14/02/18/0218212/dear-asus-router-user-all-your-cloud-are-belong-to-us/informative-comments

forums.hardwarezone.com.sg forum thread
http://forums.hardwarezone.com.sg/internet-bandwidth-networking-clinic-4/asus-routers-hacked-4580810.html

linustechtips.com forum thread
http://linustechtips.com/main/topic/116983-asus-router-hack-asus-router-users-read-this/

forums.vr-zone.com forum thread
http://forums.vr-zone.com/chit-chatting/3029970-asus-routers-users-beware.html

routercheck.com entry
http://www.routercheck.com/2014/02/18/asus-bug-exposes-users-files/

MaximumPC article
http://www.maximumpc.com/asus_finally_rolls_out_firmware_fix_major_router_vulnerability_2014

UserFriendly forum thread
http://ars.userfriendly.org/cartoons/read.cgi?id=20140218&tid=3807023

-

Post-ArsTechnica Flood

Harvard Law blogger's response to the ArsTechnica article (dated February 23, 2014)
https://blogs.law.harvard.edu/zeroday/2014/02/23/puling-my-digital-pants-back-up/

BleepingComputer! thread (dated March 7, 2014! 4chan /g/ struck this one)
http://www.bleepingcomputer.com/forums/t/526830/what-is-nsa-inspected-folder/

-

4chan Thread Archives!


4chan /g/ Feb. 4 thread
http://archive.rebeccablacktech.com/g/thread/40082705

4chan /g/ Feb. 6 thread [No exploit]
http://archive.rebeccablacktech.com/g/thread/40133050

4chan /g/ Feb. 17 thread [No exploit]
https://warosu.org/g/thread/40367912

4chan /g/ Feb. 18 Thread 1
http://archive.rebeccablacktech.com/g/thread/40385277
https://warosu.org/g/thread/40385277

4chan /g/ Feb. 18 Thread 2
http://archive.rebeccablacktech.com/g/thread/40392280
https://warosu.org/g/thread/40392280

4chan /g/ Feb. 18 Thread 3
http://archive.rebeccablacktech.com/g/thread/40394460
https://warosu.org/g/thread/40394460

4chan /g/ Mar. 20 thread [apparently joking around]
https://fireden.net/4chan/g/40919846

--

Asus Firmware Updates


Post-FTP, Samba, and AiCloud/AiDisk flaw (fixed) Firmware

RT-N14U [Feb. 13 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N14U/FW_RT_N14U_30043744422.rar

RT-N16 [Feb. 12 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N16/FW_RT_N16_30043744422.zip

RT-N56U [Feb. 19 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N56U/FW_RT_N56U_30043744422.zip

RT-N66U [Feb. 12 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/FW_RT_N66U_30043744422.zip

RT-N66R [Feb. 12 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66R/FW_RT_N66R_30043744422.zip

RT-N66W [Feb. 12 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66W/FW_RT_N66W_30043744422.zip

RT-AC52U [Feb. 21 FW]*
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC52U/FW_RT_AC52U_30043744561.zip

RT-AC56U [Feb. 13 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC56U/FW_RT_AC56U_30043744422.zip

RT-AC65R [Feb. 13 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC56R/FW_RT_AC56R_30043744422.zip

RT-AC66U [Feb. 13 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC66U/FW_RT_AC66U_30043744422.zip

RT-AC66R [Feb. 13 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC66R/FW_RT_AC66R_30043744422.zip

RT-AC68U [Feb. 13 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC68U/FW_RT_AC68U_30043744422.zip

RT-AC68R [Feb. 13 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC68R/FW_RT_AC68R_30043744422.zip


Latest Firmware (as of this text document)

RT-N14U [Feb. 21 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N14U/FW_RT_N14U_30043744561.zip

RT-N16 [Apr. 16 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N16/FW_RT_N16_30043745517.zip

RT-N56U [Apr. 24 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N56U/FW_RT_N56U_30043745656.zip

RT-N66U [Jun. 27 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66U_B1/FW_RT_N66U_30043761071.zip

RT-N66R [Jun. 27 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66R/FW_RT_N66R_30043761071.zip

RT-N66W [Jun. 27 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-N66W/FW_RT_N66W_30043761071.zip

RT-AC52U [Feb. 21 FW]*
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC52U/FW_RT_AC52U_30043744561.zip

RT-AC56U [Apr. 24 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC56U/FW_RT_AC56U_30043745656.zip

RT-AC56R [Apr. 24 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC56R/FW_RT_AC56R_30043745656.zip

RT-AC66U [Jul. 07 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC66U/FW_RT_AC66U_30043761123.zip

RT-AC66R [Jul. 07 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC66R/FW_RT_AC66R_30043761123.zip

RT-AC68U [Jul. 18 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC68U/FW_RT_AC68U_30043761663.zip

RT-AC68R [Jul. 18 FW]
http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC68R/FW_RT_AC68R_30043761663.zip