It took Asus eight months to address a security flaw in some of its routers
If you own an Asus-brand router, do yourself a favor and check to see if there's a firmware update available. Depending on which model you own, you could be susceptible to an eight-month security flaw that could potentially allow a remote hacker to access your hard drives. A recent firmware release is supposed to plug up the security hole, it's just a shame it took Asus so long to address the issue. So, what happened?
Back in June of last year, security researcher John Lovett posted details of the vulnerability on his SecurityFocus website. What he found was that hackers were able to "traverse to any external storage plugged in through the USB ports on the back of" select routers. He was specifically referring to the popular RT-N66U, but the vulnerability is present on other models as well. Lovett only went public with the info after contacting Asus two weeks prior and receiving a response that "it was not an issue."
An Ars Technica reader recently found out the hard way that the vulnerability is an issue. As he was browsing the contents of his external hard drive, he came upon a text file with a warning message.
"This is an automated message being sent out to everyone affected. Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection. You need to protect yourself and learn more by reading the following news article: http://nullfluid.com/asusgate.txt," the message read.
In July of last year, Lovett posted additional details about the security flaw.
"The vulnerability is that on many, if not on almost all N66U units that have enabled https Web service access via the AiCloud feature, [they] are vulnerable to un-authenticated directory traversal and full sensitive file disclosure," Lovett explained. "Any of the AiCloud options 'Cloud Disk,' 'Smart Access,' and 'Smart Sync' (need another verification on this one) appear to enable this vulnerability."
According to Lovett, affected models include the RT-AC66R, RT-AC66U, RT-N66R, RT-AC56U, RT-N56R, RT-N14U, RT-N15, and RT-N16R. That's a lot of router models, though a recent firmware update is supposed to have fixed the issue. Better late than never, right?