ASUS uses their own Linux distro called ASUSWRT, whenever I've looked at it it's been, well ... <i>interesting</i> from a security perspective, even compared to other WRT OSes.<p>I did a ton of stuff on the AC series and some of their smaller hardware (like the WL330-NUL which is an awesome little thing but riddled with bugs). The bottom line is that if you have an ASUS, you should expect bugs.<p>If you're worried about being exploited via your router, making sure you use a dedicated browser to configure a router and have no other web pages open at the time will help against certain classes of bug, as will logging out immediately after you've finished. Making sure that you know what's being forwarded is also useful, as is turning off UPNP.<p>OpenWRT is a little bit better (but people tend not to update their routers) but has it's flaws for various reasons (mostly in the web interface), as do most of the WRTs. If you're really worried, Mikrotiks tend to be better, and very little beats an OpenBSD firewall.
This always boggles my mind. The hardware on those seems decent enough but the software is almost universally utter dog shit. Why do these companies treat the software (security as well as UX) side so poorly, considering that this is what the enduser sees, is beyond me.<p>I bought one of those affected routers recently. Since the DD-WRT has slower Wifi performance for that model I considered staying with the stock firmware... for about 30 minutes. When configuring something device names I think I used '-' in a name. The Web UI allowed it and saved it. On refresh the JS was all broken because of that character. No device list for me. Flashed it with DD-WRT, never looked back.
If you're using Asuswrt-Merlin, looks like these fixes are only available in the current 380.66 Beta builds: <a href="https://github.com/RMerl/asuswrt-merlin/blob/0e15da3404ccabbf13509a911c7ddc4a5efa5461/Changelog.txt#L5" rel="nofollow">https://github.com/RMerl/asuswrt-merlin/blob/0e15da3404ccabb...</a>
The usual wifi router security rules apply:<p>- change the default password
- keep the firmware updated
- disable WPS.
- If possible change the port the web interface is running on (don't use port 80 or 443)
- disable the web interface if you are command line savvy.
- disable wifi access to the web interface (require ethernet)
Is it time to get a "grown-up" firewall for my home?<p>I'm currently using a standard Apple Time Machine as a firewall/router, but with all this crap (crap router software/hack attempts/NSA shenanigans) going on, thinking about putting something more serious in front of it (connected to my broadband modem). Yeah.. I realize I'm sounding paranoid.. ;)<p>I'm thinking of Protectli's "Firewall Micro Appliance" <a href="https://www.amazon.com/dp/B01H2QJTM4" rel="nofollow">https://www.amazon.com/dp/B01H2QJTM4</a><p>I believe it's FreeBSD and comes with pfSense. Thoughts?
Routers should run open source software so vulnerabilities can be patched by the community.<p>Routers manufacturers wants to push the latest hardware for profit. The only reason router manufacturers want to patch security vulnerabilities is negative press articles. Negative press would hurt future sales so its better to patch the current product line. When current product line is no longer sold security patches stops but the use of the device by its users Continues.<p>This is the reason we need to open source everything.<p>If it can be hacked it will be hacked.
Looks like anyone using third party firmware (such as <a href="https://wiki.openwrt.org/toh/start" rel="nofollow">https://wiki.openwrt.org/toh/start</a> ) shouldn't be affected by the issues this advisory highlights.
This is one thing that pisses me off, more about the FCC who requested the routers be fully locked down... I used to buy all ASUS as before the change it was very easy to get third party (Tomato) firmware on them that was updated more regularly.
The 4G-AC55U router is also vulnerable but did not receive a security firmware update (last firmware release was a year ago on 2016-05-20) and is not listed on the page.<p>If you happen to be running this device you may want to apply precautionary measures.
Why don't routers simply host their admin panels on a separate and secured wireless network that is blocked from the internet? Although it sounds impractical, it would render so many of these CSRF/XSS exploits useless.