Darknet Diaries aired an episode back in 2017[1] that discusses the widespread vulnerabilities of ASUS routers. This latest development comes as no surprise.
It's a Shared Port feature and you still need to assign an address to it somehow. You won't get the SSH for the BMC on you OSE public address.
lotharcable · 1d ago
> Disabling the 'backdoor' seems to just involve disabling SSH.
Maybe. My guess these are essentially Linux systems, so if attackers know that their exploits are widely known then they will likely try to figure out ways to install kernel mod rootkits.
It'll then end up in a situation with Windows XP/Vista days were IT desktop support staff would run malware removal tools to get rid of porn pop-ups on desktops only to have "reinfections" pop up a day or week or two later.
They'd blame users for this, but really they just never actually removed the command and control botnet features. They just addressed their payloads. The machines were never actually fixed in the first place.
ChocolateGod · 1d ago
> Maybe. My guess these are essentially Linux systems
IIRC ASUS router firmware is based on an old fork of Tomato, which is a Linux based router OS.
Saris · 1d ago
Yeah the article says the fix is just a factory reset or disabling SSH, so at least it's easy to solve this one.
mrandish · 1d ago
For a home user, you can also set SSH to be Local LAN only, which is how I have mine set anyway.
lotharcable · 1d ago
My point was that if the attackers cared enough to put (not much) effort into keeping control of these routers then neither of those approaches is likely to be sufficient.
This sort of thing is why there is such a emphasis on TPM and trusted boot on modern PCs.
0xCE0 · 1d ago
It is quite funny and insane, that there isn't any quality vendors in the router/switch market (though can't say anything of $10k+ hardware). Same phenomenon is with domain name registrars (except one or two are feasible). Oh, and printer market (one or two are feasible).
ahartmetz · 20h ago
AVM Fritzboxes are pretty good, no shenanigans and lots of features. Not the best for maximun WiFi or DSL speed at the longest ranges.
Aluminum0643 · 1d ago
MikroTik, mentioned in this thread, are very solid and way <10K$...
ryandrake · 1d ago
I wonder if these backdoors also exist on devices with the Asuswrt-Merlin[1] 3rd party firmware, which are forks of the official firmwares + a bunch of stuff.
It's accessing the router via the built in SSH server, so no malware needs to be installed on the router.
loa_in_ · 1d ago
It's a bug or a misconfiguration, here a misconfiguration included in default config.
lotharcable · 1d ago
The attackers are using features built into the firmware. They don't have to install any of their own software.
lotharcable · 1d ago
Banana Pi BPI-R3 with OpenWRT is how learned to deal with crappy consumer "wifi router" devices without breaking the bank.
Very effective.
alyandon · 1d ago
I reached a similar point where I was done dealing with crappy consumer gear but even OpenWRT didn't help my situation much because the hardware I had was just plain bad.
That's when I decided to switch to Mikrotik routers and Ubiquity for APs and have had no regrets about that decision other than the relatively steep learning curve.
Bender · 1d ago
Similar here. I use Protectli firewalls that use CoreBoot and are hardware optimized to be overpowered routers. I install Alpine Linux on them.
Darknet Diaries aired an episode back in 2017[1] that discusses the widespread vulnerabilities of ASUS routers. This latest development comes as no surprise.
[1] https://darknetdiaries.com/episode/5/
Another example: https://github.com/advisories/GHSA-x6hq-v32r-w2qr
Disabling the 'backdoor' seems to just involve disabling SSH.
Fun fact: Supermicro motherboards do this by default too if you don't connect anything to their dedicated BMC network port: https://www.supermicro.com/manuals/other/IPMI_Users_Guide.pd...
Maybe. My guess these are essentially Linux systems, so if attackers know that their exploits are widely known then they will likely try to figure out ways to install kernel mod rootkits.
It'll then end up in a situation with Windows XP/Vista days were IT desktop support staff would run malware removal tools to get rid of porn pop-ups on desktops only to have "reinfections" pop up a day or week or two later.
They'd blame users for this, but really they just never actually removed the command and control botnet features. They just addressed their payloads. The machines were never actually fixed in the first place.
IIRC ASUS router firmware is based on an old fork of Tomato, which is a Linux based router OS.
This sort of thing is why there is such a emphasis on TPM and trusted boot on modern PCs.
1: https://www.asuswrt-merlin.net
Very effective.
That's when I decided to switch to Mikrotik routers and Ubiquity for APs and have had no regrets about that decision other than the relatively steep learning curve.