Responsible Disclosures and their consequences have been a disaster for the human race. Companies need to feel a lot more pain a lot more often in order for them to take the security of their customers a lot more serious. If you just give them month to fix an issue and spoon-feed them the solution it's just another ticket in their Backlog. But if every other security issue becomes enough news online that their CEOs are involved and a solution must be find in hours not month, they will become a lot more proactive. Of course it's the end users that would suffer most from this. But then again, they buy ASUS so they suffer already...
> I asked ASUS if they offered bug bounties. They responded saying they do not, but they would instead put my name in their “hall of fame”. This is understandable since ASUS is just a small startup and likely does not have the capital to pay a bounty.<p>:(
Doesn't surprise me. Their software sucks and security wise they are repeat offenders considering the lack of prevention.<p><a href="https://www.techspot.com/news/95425-years-gigabyte-asus-motherboards-carried-uefi-malware.html" rel="nofollow">https://www.techspot.com/news/95425-years-gigabyte-asus-moth...</a><p><a href="https://www.reddit.com/r/ASUS/comments/tg3u2n/removing_bloatware/" rel="nofollow">https://www.reddit.com/r/ASUS/comments/tg3u2n/removing_bloat...</a><p><a href="https://www.reddit.com/r/ASUS/comments/ojsq80/nahimic_service_it_caused_a_lot_of_problems_with/" rel="nofollow">https://www.reddit.com/r/ASUS/comments/ojsq80/nahimic_servic...</a>
>so I could see if anyone else had a domain with driverhub.asus.com.* registered. From looking at other websites certificate transparency logs, I could see that domains and subdomains would appear in the logs usually within a month. After a month of waiting I am happy to say that my test domain is the only website that fits the regex, meaning it is unlikely that this was being actively exploited prior to my reporting of it.<p>This only remains true in so far as no-one directly registered for a driverhub subdomain. Anyone with a wildcard could have exploited this, silent to certificate transparency?
> When submitting the vulnerability report through ASUS’s Security Advisory form, Amazon CloudFront flagged the attached PoC as a malicious request and blocked the submission.<p>Reminder that WAFs are an anti-pattern: <a href="https://thedailywtf.com/articles/Injection_Rejection" rel="nofollow">https://thedailywtf.com/articles/Injection_Rejection</a>
> This is understandable since ASUS is just a small startup.<p>A small startup with a marketcap of only 15 B. What is more than understandable is that you give a shit not only about your crappy products but the researcher that did a HUGE work for your customers.<p>I truly feel bad for researchers doing this kind of work only to get them dismissed/trashed like this. So unfair.<p>The only thing that is ought to be done is not to purchase ASUS products.
>DriverHub only responded to requests with the origin header set to “driverhub.asus.com”. So at least this software wasn’t completely busted and evil hackers can’t just send requests to DriverHub willy-nilly.<p>>When I switched the origin to driverhub.asus.com.mrbruh.com, it allowed my request.<p>One more CVE to developers validating URLs in some silly way<p>Your language comes with a URL parser. Use it! You can't handle all the edge cases of the URL format by yourself.<p><pre><code> if ((new URL("https://user:password@driverhub.asus.com/whatever?q=whatever#whatever")).hostname === "driverhub.asus.com") { ... }</code></pre>
<i>I asked ASUS if they offered bug bounties. They responded saying they do not, but they would instead put my name in their “hall of fame”. This is understandable since ASUS is just a small startup[1] and likely does not have the capital to pay a bounty.</i><p>[1]: <a href="https://companiesmarketcap.com/asus/marketcap/" rel="nofollow">https://companiesmarketcap.com/asus/marketcap/</a>
> This is understandable since ASUS is just a small startup and likely does not have the capital to pay a bounty.<p>ASUS is not a small startup. It simply and only minds the money they suck FROM customers. There is no other way around to push money TO customers.<p>But the real point is: how much would be worth selling such an exploit to a malicious agent? Likely more than USD 0.00.<p>But then again, ASUS doesn't mind about that.
Sad truth.
I still don't understand why vendors like Asus bother developing their own (crappy) driver installation tool. It's always bad, takes developer resources, for something that's handled way better by Windows Update.<p>The cynical me imagines juicy telemetry to sell to advertisers.<p>The realist me imagines time gains by not needing to go through Microsoft's driver update validation process (like companies keep linux drivers out-of-tree to not cleanup their code).<p>It's probably both.
Obligatory "Scumbag Asus" video link:<p>Invidious <a href="https://inv.nadeko.net/watch?v=cbGfc-JBxlY" rel="nofollow">https://inv.nadeko.net/watch?v=cbGfc-JBxlY</a><p>YouTube <a href="https://youtube.com/watch?v=cbGfc-JBxlY" rel="nofollow">https://youtube.com/watch?v=cbGfc-JBxlY</a><p>"ASUS emailed us last week (...) and asked if they could fly out to our office this week to meet with us about the issues and speak "openly." We told them we'd be down for it but that we'd have to record the conversation. They did say they wanted to speak openly, after all. They haven't replied to us for 5 days. So... ASUS had a chance to correct this. We were holding the video to afford that opportunity. But as soon as we said "sure, but we're filming it because we want a record of what's promised," we get silence."<p>Edit: formatting
<i>MY ONBOARD WIFI STILL DOESN’T WORK, I had to buy an external USB WiFi adapter. Thanks for nothing DriverHub.</i><p>I feel sorry for this guy, having deviated from the original issue. Though it'd only took a couple of seconds to note the WLAN chipset from specs or OEM packaging and then heading to station-drivers.<p>This was also the very reason I dislike Asus, I don't want a BIOS flag/switch that natively interact with a component in OS layer.
A few of the drivers they install (or want to install) are also on Microsoft's vulnerable actively exploited driver blacklist. So that's fun, they have no intention of fixing it because they do not support "third party software". I'm also pretty sure their installer doesn't work without unencrypted HTTP traffic being let through. Plus they keep offering bloatware as "updates" to you.<p>On top of it all, the software they offer is slow and buggy on brand-new hardware.<p>But most of those issues also exist with AMD's or Gigabyte's drivers, most hardware vendors seem trashy like that. Like, if you install Samsung Magician (for their SSDs) then that even asks you if you're in the EEA (because of the privacy laws I suspect), it's absolutely crazy.<p>Microsoft should make it *significantly* harder to ship drivers outside of Windows Update and they should forbid any telemetry/analytics without consent.<p>I find Linux's hardware support model significantly nicer, although some rarer things do not work OOB, there's none of this bullshit.
This is really a well written blog post.<p>The practice of "injecting pre-installed software through BIOS" is such a deal-breaker. Unfortunately this seems to be widely adopted by the major players in motherboard market.
I like ASUS products but I disable the UEFI-installed support app <i>every single time</i>. IIRC it used to be a full ROG Armory Crate installation, which is really annoying to uninstall.<p>When ASUS acquired the NUC business from Intel, they kept BIOS updates going but at some point a “MyASUS” setup app got added to the UEFI like with their other motherboards. Thankfully, it also had an option to disable and IIRC it defaults to disabled, at least if you updated the BIOS from an Intel NUC version.
I have a similar model motherboard from ASUS in my desktop I had custom built a few years ago, and I've mostly just been annoyed that I have to have Windows installed to be able to even update the BIOS at all given that the previous one I had (which I think was also from them?) would just let me do it over ethernet if I booted directly into the BIOS setup menu. Now I have much larger concerns in addition to the risk of not updating as frequently seeming much larger...
> When submitting the vulnerability report through ASUS’s Security Advisory form, Amazon CloudFront flagged the attached PoC as a malicious request and blocked the submission.<p>Reminds me of the time I reported SQL disclosure vuln to Vivaldi and their WAF banned my account for - wait for it - 'SQL injection attempt' so hard their admin was unable to unlock it :)
It is not just a mainboard issue. I had an asus mechanical keyboard. After I started using it, Windows kept installing software and background services in system that is a listening port. I kept deleted it manually and no matter I did, windows kept installing it without my consent. It was really annoying.
All our motherboards, the root of trust, are made in Taiwan. All props to their industriousnes and agility but there should be western alterntive in that can be purchased?