24 comments

[ 3.2 ms ] story [ 49.0 ms ] thread
It sounds like Asus screwed up and made the admin UI and SSH accessible via the WAN port, which is a huge issue in itself.

Disabling the 'backdoor' seems to just involve disabling SSH.

> Disabling the 'backdoor' seems to just involve disabling SSH.

Maybe. My guess these are essentially Linux systems, so if attackers know that their exploits are widely known then they will likely try to figure out ways to install kernel mod rootkits.

It'll then end up in a situation with Windows XP/Vista days were IT desktop support staff would run malware removal tools to get rid of porn pop-ups on desktops only to have "reinfections" pop up a day or week or two later.

They'd blame users for this, but really they just never actually removed the command and control botnet features. They just addressed their payloads. The machines were never actually fixed in the first place.

Yeah the article says the fix is just a factory reset or disabling SSH, so at least it's easy to solve this one.
My point was that if the attackers cared enough to put (not much) effort into keeping control of these routers then neither of those approaches is likely to be sufficient.

This sort of thing is why there is such a emphasis on TPM and trusted boot on modern PCs.

For a home user, you can also set SSH to be Local LAN only, which is how I have mine set anyway.
> Maybe. My guess these are essentially Linux systems

IIRC ASUS router firmware is based on an old fork of Tomato, which is a Linux based router OS.

> screwed up and made the admin UI and SSH accessible via the WAN port

Fun fact: Supermicro motherboards do this by default too if you don't connect anything to their dedicated BMC network port: https://www.supermicro.com/manuals/other/IPMI_Users_Guide.pd...

It's a Shared Port feature and you still need to assign an address to it somehow. You won't get the SSH for the BMC on you OSE public address.
"Malware-free backdoors"? What does that mean?
The attackers are using features built into the firmware. They don't have to install any of their own software.
It's accessing the router via the built in SSH server, so no malware needs to be installed on the router.
It's a bug or a misconfiguration, here a misconfiguration included in default config.
Banana Pi BPI-R3 with OpenWRT is how learned to deal with crappy consumer "wifi router" devices without breaking the bank.

Very effective.

I reached a similar point where I was done dealing with crappy consumer gear but even OpenWRT didn't help my situation much because the hardware I had was just plain bad.

That's when I decided to switch to Mikrotik routers and Ubiquity for APs and have had no regrets about that decision other than the relatively steep learning curve.

Similar here. I use Protectli firewalls that use CoreBoot and are hardware optimized to be overpowered routers. I install Alpine Linux on them.
VyOS is another good option.
(comment deleted)
It is quite funny and insane, that there isn't any quality vendors in the router/switch market (though can't say anything of $10k+ hardware). Same phenomenon is with domain name registrars (except one or two are feasible). Oh, and printer market (one or two are feasible).
MikroTik, mentioned in this thread, are very solid and way <10K$...
AVM Fritzboxes are pretty good, no shenanigans and lots of features. Not the best for maximun WiFi or DSL speed at the longest ranges.
I wonder if these backdoors also exist on devices with the Asuswrt-Merlin[1] 3rd party firmware, which are forks of the official firmwares + a bunch of stuff.

1: https://www.asuswrt-merlin.net