On the other hand, I probably would not have clicked through to the underlying article if it were not for the title as written (ASUS Router Sends Data to Third Party). The whole blog post feels a bit like an exercise in burying the lede.
The rest of the review is interesting, for sure, and worth reading. But the actual bombshell here is that the firmware indeed sends data about your browsing to trend micro if you activate some of the firmware's advanced features.
That title as given is completely uninteresting and does nothing to describe the interestingness of its content (or why the OP decided to post it in the first place).
I wanted to be able to suggest using something like ubiquiti or mikrotik.
But then I realize that I have no idea how secure/private those are either.
I imagine pfSense is good (or any of the forks) for privacy. But that can be pretty overkill, and really shouldnt be necessary just for a small SOHO router.
To be clear, this router does not spy on you. If you want to enable features like the virus detection service or traffic history / analysis, those features rely on upstream services and your data will be sent to ASUS / Trend Micro.
Unless I'm missing something from the article, I won't be trading in my ASUS, I just won't be turning these features on.
That's good but pricey. The new $49 expression bin board on kickstarter based on the Marvell Armada Aarch64 SOC with mainline support seems delightful for a router.
But the Turris may be a more suitable alternative to an off the shelf router.
Omnia is a good concept, but the execution isn't quite there yet. I had ordered one, which I ended up returning due to a broken hardware part and less than stellar software. Maybe in a couple of years, it will be a solid platform.
You can split it into a router and a wireless access point. Run pfsense or lede on the router, and use any commercial access point (ubiquiti seems to be a good bang for the buck).
Last I checked (RT-AC87U owner here), most of the features are still there, but still opt-in. I believe there's one I can't name off the top of my head that was neutered, though.
Btw anyone ever measured that gamer shaped wifi routers with fancy remote apps sell better? I was going to buy into Google's Wifi solution until I realized you manage it with an App. Is that really what customers want or is it just the marketers brainfart?
Typing in raw IPs in the URL bar is not something many laypeople are comfortable with exactly. Private LAN addresses seem odd if you navigate the web with a search engine.
On the other hand some ruters use url's like http://routerlogin.net and from my perspective that seems dodgy since that could mean all the routers are centrally configured somehow.
Apple's management app for the Airport line is one of the few great features of that product. So much more convenient than a web interface. Of course I don't trust anyone else to implement something half as good as what they did.
Google's wifi solution looks interesting. I don't know how friendly they are to tinkering and third party firmware, but there doesn't seem to be a big community around it. In theory, it should be possible since they are based on chromium OS.
I own an ASUS RT-AC68U. To be clear, this is an opt-in feature. When you switch the toggle button that enables any of these features, you're immediately greeted by the EULA, making it clear that what you're doing has more implications than just "turn the feature on".
I wanted to see bandwidth usage history/analysis, so I was going to enable it. When I was greeted by the scary EULA, I backed out and didn't turn it on.
To be fair, I'm not sure how a router like this could actually perform this functionality without sending information to an upstream service to manage the data. Simply not enough computing power / storage to support those features locally.
I don't want to send my data to ASUS/Trend Micro, so I didn't enable it. I don't think there's anything malicious going on here.
If I recall correctly, they're doing more than just giving you a graph of bandwidth consumption. They're giving you views of the data that show which apps are consuming the most data among other things. I can imagine why this may need additional processing - maintaining a mapping of addresses that make up "Dropbox" traffic as an example.
I always saw it as an attempt to put analysis/QoS tools into non-technical hands. You can absolutely do many of these things by yourself, but that's not who they're targeting.
I can certainly understand how some features in the list would require sending user data to Trend Micro - blocking malware domains, for example. This makes sense - and it already happens with all the major browsers.
I am less sure why, for many of the other examples in the list, the router can't just receive updates from ASUS/Trend Micro without sending user data abroad. Maintaining a local list of common software and popular services is not that onerous for such a device. People with less common software are not likely, as you said, to be who they are targeting.
As I understand the article, the current EULA means I have to give access to my data to a third party if I want my router to receive some useful information (say, mapping) from them. This is information which they could just give my router anyway, without needing my data, in many of the cases for which the EULA is required.
Ubiquity's products do traffic analysis locally, as you propose. Their Edgerouter X is MSRP $49 USD.. It's based on Debian/Vyatta.
On the router, without sending data to someone else's computer, it will give breakdowns based on Protocol & Destination (e.g. SIP, IMAP, Amazon, Facebook).
As I understand the definitions as downloaded periodically/automatically from Ubiquity.
So yes, this is not just theoretically possible, this capability exists in the marketplace, and it's demonstrably inexpensive to do.
Regarding if upstream service is needed for bandwidth usage history, as it needs computing power - well not at all. DD-WRT has basic banding report by days of month for close to 10 years [0]. I'm personally using it for 5+ years on a 20$ TP-Link and it just works, without the need of an external service.
The ASUS/Trend Micro feature is not basic bandwidth reporting. Yeah, I've run this kind of basic reporting on a Raspberry Pi before - if that's all that you're tracking, not much processing power is required.
These routers are giving other breakdowns of the data - by device, by service, by application, etc. See sibling comment as well.
I don't see how its a cpu issue. The router definitely isn't sending every packet but some kind of aggregate already whether by port or something. My guess is that the upstream service just have the map from the aggregate to app (dropbox or whatever). Now this allows them up update the mapping as apps change or add new app tracking but that can be easily done through a firmware update if they really want to.
I don't disagree that this might make it easier for them to support the feature but definitely not essential. If it wasn't the culture of sending things out as much this would have been designed differently.
A few years ago my mother had some problems with her internet, she had recently changed her old D-LINK to a brand new flagship ASUS router.
So while visiting her I played around with web interface and not many minutes in I managed to gain RCE allowing me to access a full root shell on the router via HTTP and I were even able to fetch the shadow-file. I searched the web and found several similar flaws,
Ever since whenever someone I know is about to buy an ASUS router I make sure to warn them and tell them to at least making sure to run the latest firmware if they go through with the purchase. As for my mother I brought over an old C2D-box which I hooked up with a couple of old Intel Pro Server GBE-nics, configured a NetBSD firewall+nat and reconfigured her router to act as a* dumb access point.
*Should I use an here since the object it is acting upon is started with a vowel or should I let the adjective rule the indefinite article? English isn't my first nor second language and I always struggle with these things so I appreciate any guidance.
I am sad to say this, but this is not such an unusual event in home routers [1]. I'd do the same as you, if not for the fact that it seems impossible to recommend any make/model of router to a home user that doesn't require expert knowledge to properly secure.
Your English is very good, I was skim-reading and actually didn't even notice any mistakes until I saw your question at the bottom so I re-read the whole thing, but I thought you may want some comments:
> and I were even able to fetch
should be "I was"
> to at least making sure
should be "to at least make sure"
Other than that a few commas would be nice to make some of those long sentences flow a bit smoother. If you were speaking, you'd need to take a breath somewhere!
You are doing ridiculously good for a third language though!!
I have a lot of respect for people who learn languages, it shows a lot of courage and curiosity.
>I'm not sure how a router like this could actually perform this functionality without sending information to an upstream service to manage the data.
Simple logging and graph construction aren't a big deal and don't take up many resources. Most likely the development work would have cost x dollars but Trend called up and said they'd do it for free, by selling this data, so ASUS took the deal. Your ASUS has a 1GHz dual-core ARM Cortex A9 processor. That's on par with entry-level server CPUs from less than 5-6 years ago and beats the Intel Atom today. Its not some anemic chipset unable to do anything. There's a powerhouse in that little box.
Let's not excuse greedy corporate decisions that ultimately victimize customers. If there's no corporate political will for privacy then this stuff will only continue. We certainly have the CPU, RAM, and storage heft to handle this even on budget devices.
See other comments, but I think this is less about raw computing power and more about the nature of those features. Classification of services/apps, storing multiple dimensions of historical data, etc. Certainly the case for the other features that aren't just bandwidth related.
I'm sure there's some truth to your point as well. The reality is probably somewhere in the middle: it's not a super easy problem to solve with a local-only solution, and farming it out to Trend Micro makes things easier for ASUS.
Interestingly, the Trend Micro relationship is presented as a feature in their marketing/product materials. Probably not unlike the Symantec badges that end up on some products.
> Let's not excuse greedy corporate decisions that ultimately victimize customers.
Look, I don't love the way these features were implemented, but let's be fair. Trend Micro is a security software company. The router is sold as "Trend Micro on board". You don't have to like the feature, but don't think it's fair to characterize this as "victimizing customers".
As a somewhat informed consumer and sysadmin I would automatically assume that means something like gateway AV, not unbelievably levels of snooping. I imagine most people would feel the same way and the marketing language is careful crafted to give that impression. Example in the wild:
"bought an ASUS AC-87U Router, do I still need an AV?"
After looking through that thread, I can't help but think that Mayahana and Mortal Raptor are both shills for Asus, and probably the same person. I wonder what they were banned for.
I use an Asus RT-68P. The EULA did scare me off from running all of the services listed in the article, with the exception of "Web History", where I do not recall having seen any indication that my history would be leaked. But, regardless I just turned off that function.
I agree with the author's disappointment in Dynamic DNS support. But, I followed instructions on the web[1] and added a cheap USB thumb-drive to run a script on every router boot. This script sets up a cron job that supports DuckDNS.org, and fixes other annoyances like turning off all the router's LEDs.
51 comments
[ 6.4 ms ] story [ 108 ms ] threadTitle, Review: ASUSWRT router firmware
Link to top of page, https://ctrl.blog/entry/review-asuswrt
The rest of the review is interesting, for sure, and worth reading. But the actual bombshell here is that the firmware indeed sends data about your browsing to trend micro if you activate some of the firmware's advanced features.
But then I realize that I have no idea how secure/private those are either.
I imagine pfSense is good (or any of the forks) for privacy. But that can be pretty overkill, and really shouldnt be necessary just for a small SOHO router.
Unless I'm missing something from the article, I won't be trading in my ASUS, I just won't be turning these features on.
But the Turris may be a more suitable alternative to an off the shelf router.
https://www.amazon.com/Mikrotik-Routerboard-RB2011UiAS-2HnD-...
This article is based on speculation. A EULA doesn't say what is happening, it merely states what the company might be allowed to do.
Asus is the one you will have to ask, I don't have any technical information on how the Trend Micro features work.
https://github.com/RMerl/asuswrt-merlin/issues/1348
I wanted to see bandwidth usage history/analysis, so I was going to enable it. When I was greeted by the scary EULA, I backed out and didn't turn it on.
To be fair, I'm not sure how a router like this could actually perform this functionality without sending information to an upstream service to manage the data. Simply not enough computing power / storage to support those features locally.
I don't want to send my data to ASUS/Trend Micro, so I didn't enable it. I don't think there's anything malicious going on here.
I always saw it as an attempt to put analysis/QoS tools into non-technical hands. You can absolutely do many of these things by yourself, but that's not who they're targeting.
I am less sure why, for many of the other examples in the list, the router can't just receive updates from ASUS/Trend Micro without sending user data abroad. Maintaining a local list of common software and popular services is not that onerous for such a device. People with less common software are not likely, as you said, to be who they are targeting.
As I understand the article, the current EULA means I have to give access to my data to a third party if I want my router to receive some useful information (say, mapping) from them. This is information which they could just give my router anyway, without needing my data, in many of the cases for which the EULA is required.
On the router, without sending data to someone else's computer, it will give breakdowns based on Protocol & Destination (e.g. SIP, IMAP, Amazon, Facebook).
As I understand the definitions as downloaded periodically/automatically from Ubiquity.
So yes, this is not just theoretically possible, this capability exists in the marketplace, and it's demonstrably inexpensive to do.
[0] https://www.dd-wrt.com/wiki/images/3/3c/TrafficByMonth.Sampl...
These routers are giving other breakdowns of the data - by device, by service, by application, etc. See sibling comment as well.
Edit: Screenshot of example: https://www.evernote.com/shard/s10/sh/0128aee2-dbae-48c3-b4d...
I don't disagree that this might make it easier for them to support the feature but definitely not essential. If it wasn't the culture of sending things out as much this would have been designed differently.
Ever since whenever someone I know is about to buy an ASUS router I make sure to warn them and tell them to at least making sure to run the latest firmware if they go through with the purchase. As for my mother I brought over an old C2D-box which I hooked up with a couple of old Intel Pro Server GBE-nics, configured a NetBSD firewall+nat and reconfigured her router to act as a* dumb access point.
*Should I use an here since the object it is acting upon is started with a vowel or should I let the adjective rule the indefinite article? English isn't my first nor second language and I always struggle with these things so I appreciate any guidance.
[1] For examples: https://www.google.co.uk/search?q=router+RCE
> and I were even able to fetch
should be "I was"
> to at least making sure
should be "to at least make sure"
Other than that a few commas would be nice to make some of those long sentences flow a bit smoother. If you were speaking, you'd need to take a breath somewhere!
You are doing ridiculously good for a third language though!!
I have a lot of respect for people who learn languages, it shows a lot of courage and curiosity.
Simple logging and graph construction aren't a big deal and don't take up many resources. Most likely the development work would have cost x dollars but Trend called up and said they'd do it for free, by selling this data, so ASUS took the deal. Your ASUS has a 1GHz dual-core ARM Cortex A9 processor. That's on par with entry-level server CPUs from less than 5-6 years ago and beats the Intel Atom today. Its not some anemic chipset unable to do anything. There's a powerhouse in that little box.
Let's not excuse greedy corporate decisions that ultimately victimize customers. If there's no corporate political will for privacy then this stuff will only continue. We certainly have the CPU, RAM, and storage heft to handle this even on budget devices.
I'm sure there's some truth to your point as well. The reality is probably somewhere in the middle: it's not a super easy problem to solve with a local-only solution, and farming it out to Trend Micro makes things easier for ASUS.
Interestingly, the Trend Micro relationship is presented as a feature in their marketing/product materials. Probably not unlike the Symantec badges that end up on some products.
> Let's not excuse greedy corporate decisions that ultimately victimize customers.
Look, I don't love the way these features were implemented, but let's be fair. Trend Micro is a security software company. The router is sold as "Trend Micro on board". You don't have to like the feature, but don't think it's fair to characterize this as "victimizing customers".
As a somewhat informed consumer and sysadmin I would automatically assume that means something like gateway AV, not unbelievably levels of snooping. I imagine most people would feel the same way and the marketing language is careful crafted to give that impression. Example in the wild:
"bought an ASUS AC-87U Router, do I still need an AV?"
https://www.wilderssecurity.com/threads/bought-an-asus-ac-87...
Their posts read like ads for the router.
http://tomato.groov.pl/
I agree with the author's disappointment in Dynamic DNS support. But, I followed instructions on the web[1] and added a cheap USB thumb-drive to run a script on every router boot. This script sets up a cron job that supports DuckDNS.org, and fixes other annoyances like turning off all the router's LEDs.
[1] https://www.securityforrealpeople.com/2015/08/cron-on-asus.h...
Edit: Grammar, and a clarification.