
Asusgate: A story about thousands of crimeless victims - lelf
http://nullfluid.com/asusgate.txt
======
nothxbro
This was patched 6 months ago, what is the author going on about?

[http://reviews.cnet.com/8301-3132_7-57594003-98/asus-
patches...](http://reviews.cnet.com/8301-3132_7-57594003-98/asus-patches-its-
wi-fi-routers-aicloud-vulnerabilities/)

------
trynumber9
Asusgate? How about 'Asus RT-series router vulnerabilities'? Asusgate is a
less informative headline .

~~~
smsm42
Everything is gate nowdays. I hope some politician would mess up something
with some gate somewhere, and we'd have a Gategate.

~~~
CrazedGeek
Believe it or not, basically exactly that happened.
[http://en.wikipedia.org/wiki/Plebgate](http://en.wikipedia.org/wiki/Plebgate)

~~~
smsm42
I should have searched. Fascinating story, thanks.

------
freiheit
Bruce Schneier did an interesting writeup about a month ago about the
fundamental problems behind router (and other embedded device) security:

> The problem with this process is that no one entity has any incentive,
> expertise, or even ability to patch the software once it's shipped.

[https://www.schneier.com/blog/archives/2014/01/security_risk...](https://www.schneier.com/blog/archives/2014/01/security_risks_9.html)

~~~
xorbyte
Similarly echoed in the OpenWRT talk from 30C3
[https://www.youtube.com/watch?v=Y-OlUxeS57E](https://www.youtube.com/watch?v=Y-OlUxeS57E)

~~~
malandrew
TBH the only moderately safe way forward is open source firmware that is
autoupdated via signed packages made by individuals with impeccable
reputations and verified/audited by others with impeccable reputations.

------
ohfunkyeah
I am rather bored by the specifics of Asusgate, but I do think the story has
one very interesting conundrum. If change has to be driven by impassioned
masses. And the masses only become impassioned when directly affected. Does it
become OK for the good guys to accelerate exposure of the masses to the risks
in order to prevent harm happening at a larger scale in the future?

~~~
emhart
That is a question researchers have been asking for decades. Rain Forest
Puppy, with the help of some smart, invested colleagues, put together a good
framework for Full Disclosure a long time ago:

[http://dl.packetstormsecurity.net/papers/general/rfpolicy-2....](http://dl.packetstormsecurity.net/papers/general/rfpolicy-2.0.txt)

When I first found myself involved in disclosures in the mechanical security
world, I turned to that document to orient myself, though mechanical security
has some different challenges that make following that framework perfectly
fairly hard.

------
BigTuna
"We are sorry for exposing innocents in this manner."

Quit lying you pricks.

------
mattgreenrocks
Another failing in consumer-grade routers.

It's depressing how bad many consumer-targeted products there are in the tech
space. Printers (seriously, why do we still have printer drivers), routers,
operating systems, even software. Even non-techie users take notice of this!

Is there space for a competitively priced consumer router of high quality?

~~~
malandrew
I would definitely fund a kickstarter campaign for a fully open-source AC
router designed for OpenWRT.

I would imagine that the OpenWRT community (and related open-source firmwares
like Tomato and DD-WRT) are sufficiently large enough that there is a market
for a piece of hardware that is optimal for open-source router firmware.

~~~
SwellJoe
For quite a long time, there was a Linksys WRT model that remained in
production long after its useful life (because it had old radio standards and
was slow and because newer devices were much cheaper with greater
capabilities) because it ran Linux, and could be hacked very easily and could
use all Open Source drivers and such. It's even where "OpenWRT" got the WRT in
its name.

So, there's definitely a market for it. But, I don't know that it's comparable
to the market for consumer oriented devices. It'd be nice if consumers were
smarter and knew enough to demand this kind of thing.

It'd be _really_ nice if one could go to the store and buy a router running
OpenWRT or Tomato or whatever, like you can go to the store and ask for an
Android phone or a Windows PC. As operating systems go, many current routers
are probably more complex than DOS or early Windows versions and certainly
more complex than many early phone operating systems. Not sure why nobody has
thought to make the OS a competitive factor for routers.

~~~
vacri
The WRT54G went through several generations, the later generations having
different hardware and just sharing the model name. They weren't all
compatible with the various xWRT's of the day.

I had a v1 WRT54G; after six or seven years running OpenWRT, it finally died
last month. Now I have a cheap TPLink while I wait for the dust to settle on
the AC models.

~~~
malandrew
What's worse is that the older generations were not necessarily an improvement
either (IIRC). I think the amount of persistent memory of the device in later
generations was reduced to lower costs and that some later generation models
don't have enough disk space for OpenWRT.

------
ARothfusz
Someone needs to make a Rocket Surgeon t-shirt.

~~~
avtar
I came here to comment about that but it looks like you have everything under
control.

------
Symmetry
I'm glad I took this[1] advice and installed the Tomato firmware on my router.

[1][http://www.codinghorror.com/blog/2012/06/because-everyone-
st...](http://www.codinghorror.com/blog/2012/06/because-everyone-still-needs-
a-router.html)

------
eli
That's not very nice. They won't remain crimeless for long.

------
baldfat
I love my RT-AC router and I do not use Ai Cloud and I have FTP turned off. I
check all the time. People that buy $200+ routers should be the ones to turn
things off.

My name wasn't on the list.

~~~
pixl97
>People that buy $200+ routers should be the ones to turn things off.

The price of an object says nothing about the cluefullness or cluelessness of
the end user. A tech illiterate soccer mom could easily buy one of these
because their child told them they need 'extreme performance' to play BF4.
Releasing products with poor security, then not fixing it when released to the
public is unacceptable in this day and age.

~~~
vacri
A tech naif that doesn't know how to turn off a service is certainly not going
to be reflashing a wifi AP.

~~~
pixl97
That's why you don't release terrible security flaws in the first place.

The second problem of the illiterate flashing ones router is more difficult,
but not completely impossible to deal with. It's not optimal, but you could
force redirect all http connections to the router from inside the network to a
page where the user has to log in and click flash for the router to download
and update the flash itself. Auto-updates are possible, but not without risk
either.

------
r00fus
My RT-AC66u died a month ago (trying to factory reset, and it never woke up),
and I just plugged my 5-year old Apple Wifi-N router and never looked back.

Looks like there isn't really a good AC router - most AC routers have poor
reliability reviews everywhere (even the new Apple one).

~~~
jethro_tell
That's usually because the spec wasn't finished at release time so your card
might be following one set of rule and your WAP another. I'm always leary
about a company who wants to be first to market before everyone has agreed on
how things should work. You can see that pattern in their security audit too.

EDIT: Asus' security audit, The apple one should work if you don't leave their
eco system since the card and WAP probably have the same specs.

------
simon_vetter
OpenWRT or other OpenWRT-based firmwares are really easy to get up and running
these days. Trusting consumer electronics manufacturers running on razon-thin
margins for your security is pure madness, not advisable at best.

------
loginwhence
Does anyone have a non-torrent link to this?

~~~
hrkristian
[https://dl.dropboxusercontent.com/u/30902737/ASUSGATE.A.STOR...](https://dl.dropboxusercontent.com/u/30902737/ASUSGATE.A.STORY.ABOUT.THOUSANDS.OF.CRIMELESS.VICTIMS.rar)

~~~
loginwhence
Thank you!

------
pcunite
If you are serious about your SOHO router, I suggest you use a MikroTik.

~~~
thelambentonion
I would personally recommend Ubiquiti or some ALIX-based pfSense router over
MikroTik. They seem like a better value for the money to me.

------
joseflavio
Chuck Palahniuk?

~~~
bitwize
_Duke Igthorn?!?_ Calling yourself the Dread Pirate Roberts I can understand,
but a Gummi Bears villain?

~~~
at-fates-hands
Hackers these days pick some interesting names. Just like "pinkie pie" who
hacked Chrome with three zero-day exploits back in 2012:

[http://www.wired.com/threatlevel/2012/03/zero-days-for-
chrom...](http://www.wired.com/threatlevel/2012/03/zero-days-for-chrome/)

------
mcfly69
download-link?

