
AsusWRT sends network traffic data to Trend Micro if certain features enabled - cknight
https://ctrl.blog/entry/review-asuswrt#section-asuswrt-privacy
======
haswell
I own an ASUS RT-AC68U. To be clear, this is an opt-in feature. When you
switch the toggle button that enables any of these features, you're
immediately greeted by the EULA, making it clear that what you're doing has
more implications than just "turn the feature on".

I wanted to see bandwidth usage history/analysis, so I was going to enable it.
When I was greeted by the scary EULA, I backed out and didn't turn it on.

To be fair, I'm not sure how a router like this could actually perform this
functionality _without_ sending information to an upstream service to manage
the data. Simply not enough computing power / storage to support those
features locally.

I don't want to send my data to ASUS/Trend Micro, so I didn't enable it. I
don't think there's anything malicious going on here.

~~~
hultner
A few years ago my mother had some problems with her internet, she had
recently changed her old D-LINK to a brand new flagship ASUS router. So while
visiting her I played around with web interface and not many minutes in I
managed to gain RCE allowing me to access a full root shell on the router via
HTTP and I were even able to fetch the shadow-file. I searched the web and
found several similar flaws,

Ever since whenever someone I know is about to buy an ASUS router I make sure
to warn them and tell them to at least making sure to run the latest firmware
if they go through with the purchase. As for my mother I brought over an old
C2D-box which I hooked up with a couple of old Intel Pro Server GBE-nics,
configured a NetBSD firewall+nat and reconfigured her router to act as a* dumb
access point.

*Should I use an here since the object it is acting upon is started with a vowel or should I let the adjective rule the indefinite article? English isn't my first nor second language and I always struggle with these things so I appreciate any guidance.

~~~
brokenmachine
Your English is very good, I was skim-reading and actually didn't even notice
any mistakes until I saw your question at the bottom so I re-read the whole
thing, but I thought you may want some comments:

> and I were even able to fetch

should be "I was"

> to at least making sure

should be "to at least make sure"

Other than that a few commas would be nice to make some of those long
sentences flow a bit smoother. If you were speaking, you'd need to take a
breath somewhere!

You are doing ridiculously good for a third language though!!

I have a lot of respect for people who learn languages, it shows a lot of
courage and curiosity.

~~~
hultner
I can't edit my comment anymore but I've taken notice of your critique, thank
you very much for being so helpful!

------
brudgers
Please don't editorialize titles. The whole article is interesting. It's
better to add a comment once the article appears on the |new| page.

Title, _Review: ASUSWRT router firmware_

Link to top of page, [https://ctrl.blog/entry/review-
asuswrt](https://ctrl.blog/entry/review-asuswrt)

~~~
pfooti
On the other hand, I probably would not have clicked through to the underlying
article if it were not for the title as written (ASUS Router Sends Data to
Third Party). The whole blog post feels a bit like an exercise in burying the
lede.

The rest of the review is interesting, for sure, and worth reading. But the
actual bombshell here is that the firmware indeed sends data about your
browsing to trend micro if you activate some of the firmware's advanced
features.

------
MegaDeKay
Even more reason to install alternative firmware. I run Tomato by Shibby on my
Asus and it works great.

[http://tomato.groov.pl/](http://tomato.groov.pl/)

~~~
kkirsche
Not really, it's opt in and provides a EULA

~~~
Pxtl
For features that really don't seem like they should require this opt-in and
EULA nonsense.

------
infocollector
So does Meraki, Cisco, ... Well they give you an option to send your data to
the company.

~~~
kkirsche
Asus provides it as an opt in option :) it's not on by default

------
NKCSS
Google and Microsoft do the same to check URL reputation...

------
MarkG509
I use an Asus RT-68P. The EULA did scare me off from running all of the
services listed in the article, with the exception of "Web History", where I
do not recall having seen any indication that my history would be leaked. But,
regardless I just turned off that function.

I agree with the author's disappointment in Dynamic DNS support. But, I
followed instructions on the web[1] and added a cheap USB thumb-drive to run a
script on every router boot. This script sets up a cron job that supports
DuckDNS.org, and fixes other annoyances like turning off all the router's
LEDs.

[1] [https://www.securityforrealpeople.com/2015/08/cron-on-
asus.h...](https://www.securityforrealpeople.com/2015/08/cron-on-asus.html)

Edit: Grammar, and a clarification.

------
sly010
Btw anyone ever measured that gamer shaped wifi routers with fancy remote apps
sell better? I was going to buy into Google's Wifi solution until I realized
you manage it with an App. Is that really what customers want or is it just
the marketers brainfart?

~~~
jrimbault
Aren't those apps just a replacement for people who can't (or don't know how
to) login into and manage their router ?

~~~
narrowrail
Typing in raw IPs in the URL bar is not something many laypeople are
comfortable with exactly. Private LAN addresses seem odd if you navigate the
web with a search engine.

~~~
cptn_brittish
On the other hand some ruters use url's like
[http://routerlogin.net](http://routerlogin.net) and from my perspective that
seems dodgy since that could mean all the routers are centrally configured
somehow.

------
PTRFRLL
I wonder if Asuswrt-merlin does the same.

~~~
vanadium
Last I checked (RT-AC87U owner here), most of the features are still there,
but still opt-in. I believe there's one I can't name off the top of my head
that was neutered, though.

------
knodi
Hmm, any suggestions on a good router that won't spy on me?

~~~
emeidi
Turris Omnia

~~~
bubblethink
Omnia is a good concept, but the execution isn't quite there yet. I had
ordered one, which I ended up returning due to a broken hardware part and less
than stellar software. Maybe in a couple of years, it will be a solid
platform.

