

1000's of publicly accessible private HDD's spread on Piratebay. - tmikaeld

From the leaked content&#x27;s readme:<p>-- start quote<p>ASUSTeK Computer Inc (ASUS) have spent the better part of a year ignoring the fact that their RT-series routers suffer from two CRITICAL security vulnerabilities.<p>1. Default setting for the ftp-server was to allow anonymous login. ASUS calls this feature “limitless access rights”. We call this madness.<p>2. AiCloud usernames and passwords were stored in plaintext in a file available for download without logging in. We call this insanity.<p>This release includes<p>- IP-addresses to 12937 ASUS routers with vulnerable FTP and&#x2F;or AiCloud.<p>- 6536 complete and 3605 partial lists of files shared from these ASUS routers.<p>- AiCloud login credentials to 3131 ASUS routers.<p>-- End quote<p>The story was removed from most sourced, but magnet-link containing IP and directory data are circulating on darknet sites like wildfire.<p>I&#x27;m afraid that many innocent victims are going to get hurt by this, and it all could have been avoided if the ISP&#x27;s scanned their networks and warned their users.<p>I am at least trying to warn those i know have an ASUS Router, and so should you.
======
captainmuon
I'm all for responsible disclosure, and going public in case a vendor ignores
the issue. But publishing the private data of innocent people on bittorrent?
And they have the audacity to write it in the tone of a honest security
researcher? I call them irresponsible pricks.

Really, I'd have more sympathy with them if they would have used the security
hole for criminal purposes, for their own monetary gain. Not nice, but I would
have gotten that. But just dumping private data on the net, and believing
people should even be thankful for it... _that_ is insane.

Thankfully its probably just a list of filenames, but even that can do enough
damage, and they have no right to do so.

~~~
tmikaeld
I agree completely, that's why i want to get the word out and warn people
about the fact. I don't understand why this is not getting more attention!

No, it's not only the filenames - the dump gives direct access to all files
and private harddrives without any login or password (Anonymous login).

------
runjake
Maybe a URL or few? The text reads like an Infowars.com post on 9/11.

Edit:
[http://www.securityfocus.com/archive/1/526942](http://www.securityfocus.com/archive/1/526942)

~~~
tmikaeld
Note sure what to link towards, every publicly available source have been
removed.

EDIT: Found a blog [http://sam3.se/archives/782](http://sam3.se/archives/782)

------
ScottWhigham
Interesting. I just added an Asus RT router to my shopping cart this morning.

This is one of amazon's biggest sellers:

[http://www.amazon.com/dp/B00FK1E46U](http://www.amazon.com/dp/B00FK1E46U) \-
ASUS RT-N66W (1,986 customer reviews, Amazon Best Sellers Rank: #39 in
Electronics)

~~~
tmikaeld
More than 50 new public ASUS routers appear every day on FTP-indexing sites,
N66W is one of the most common ones.

All you need to do to share your harddrive publicly on the internet is to plug
it in. And that is something that most people do without much thought, it's
not like anyone expect the router to share all of your stuff publicly by
default.

Someone should write a review and contact Amazon so people get a warning.

------
dubfan
Well, I was considering getting an ASUS to replace my current Netgear R6200
(the built-in DNS relay stops working after a few days of operation and can't
be disabled). Now it's looking like I'd be better served building a little ITX
box and doing it myself.

~~~
tmikaeld
You can check out [http://www.mikrotik.com/](http://www.mikrotik.com/)

Their routers are extremely powerful, in the same ballpark as cisco's smaller
routers and they also take their security very seriously.

It runs a custom linux with a web based configuration environment.

Also, for what you get - very cheap.

