Darknet Diaries aired an episode back in 2017[1] that discusses the widespread vulnerabilities of ASUS routers. This latest development comes as no surprise.
It's a Shared Port feature and you still need to assign an address to it somehow. You won't get the SSH for the BMC on you OSE public address.
lotharcable · 15h ago
> Disabling the 'backdoor' seems to just involve disabling SSH.
Maybe. My guess these are essentially Linux systems, so if attackers know that their exploits are widely known then they will likely try to figure out ways to install kernel mod rootkits.
It'll then end up in a situation with Windows XP/Vista days were IT desktop support staff would run malware removal tools to get rid of porn pop-ups on desktops only to have "reinfections" pop up a day or week or two later.
They'd blame users for this, but really they just never actually removed the command and control botnet features. They just addressed their payloads. The machines were never actually fixed in the first place.
ChocolateGod · 15h ago
> Maybe. My guess these are essentially Linux systems
IIRC ASUS router firmware is based on an old fork of Tomato, which is a Linux based router OS.
Saris · 15h ago
Yeah the article says the fix is just a factory reset or disabling SSH, so at least it's easy to solve this one.
mrandish · 12h ago
For a home user, you can also set SSH to be Local LAN only, which is how I have mine set anyway.
lotharcable · 15h ago
My point was that if the attackers cared enough to put (not much) effort into keeping control of these routers then neither of those approaches is likely to be sufficient.
This sort of thing is why there is such a emphasis on TPM and trusted boot on modern PCs.
ryandrake · 6h ago
I wonder if these backdoors also exist on devices with the Asuswrt-Merlin[1] 3rd party firmware, which are forks of the official firmwares + a bunch of stuff.
It is quite funny and insane, that there isn't any quality vendors in the router/switch market (though can't say anything of $10k+ hardware). Same phenomenon is with domain name registrars (except one or two are feasible). Oh, and printer market (one or two are feasible).
Aluminum0643 · 6h ago
MikroTik, mentioned in this thread, are very solid and way <10K$...
jwilk · 16h ago
"Malware-free backdoors"? What does that mean?
Saris · 15h ago
It's accessing the router via the built in SSH server, so no malware needs to be installed on the router.
loa_in_ · 11h ago
It's a bug or a misconfiguration, here a misconfiguration included in default config.
lotharcable · 15h ago
The attackers are using features built into the firmware. They don't have to install any of their own software.
lotharcable · 15h ago
Banana Pi BPI-R3 with OpenWRT is how learned to deal with crappy consumer "wifi router" devices without breaking the bank.
Very effective.
alyandon · 15h ago
I reached a similar point where I was done dealing with crappy consumer gear but even OpenWRT didn't help my situation much because the hardware I had was just plain bad.
That's when I decided to switch to Mikrotik routers and Ubiquity for APs and have had no regrets about that decision other than the relatively steep learning curve.
Bender · 14h ago
Similar here. I use Protectli firewalls that use CoreBoot and are hardware optimized to be overpowered routers. I install Alpine Linux on them.
Darknet Diaries aired an episode back in 2017[1] that discusses the widespread vulnerabilities of ASUS routers. This latest development comes as no surprise.
[1] https://darknetdiaries.com/episode/5/
Another example: https://github.com/advisories/GHSA-x6hq-v32r-w2qr
Disabling the 'backdoor' seems to just involve disabling SSH.
Fun fact: Supermicro motherboards do this by default too if you don't connect anything to their dedicated BMC network port: https://www.supermicro.com/manuals/other/IPMI_Users_Guide.pd...
Maybe. My guess these are essentially Linux systems, so if attackers know that their exploits are widely known then they will likely try to figure out ways to install kernel mod rootkits.
It'll then end up in a situation with Windows XP/Vista days were IT desktop support staff would run malware removal tools to get rid of porn pop-ups on desktops only to have "reinfections" pop up a day or week or two later.
They'd blame users for this, but really they just never actually removed the command and control botnet features. They just addressed their payloads. The machines were never actually fixed in the first place.
IIRC ASUS router firmware is based on an old fork of Tomato, which is a Linux based router OS.
This sort of thing is why there is such a emphasis on TPM and trusted boot on modern PCs.
1: https://www.asuswrt-merlin.net
Very effective.
That's when I decided to switch to Mikrotik routers and Ubiquity for APs and have had no regrets about that decision other than the relatively steep learning curve.