Asus Close External USB Storage Vulnerability on its Broadband Routers

Consumers who own an Asus RT-AC68U, RT-AC56U, RT-AC66U, RT-N66U or RT-N16 wireless broadband router would be well advised to keep an eye out for a new firmware update that adjusts the devices default security settings, which is designed to stop attached USB Storage drives from becoming accessible to the Internet.

According to an article on PC World, which has also been spotted by Thinkbroadband, consumers who attached and then activated (either manually or by using the built-in wizard) an external USB Flash / storage drive to one of the routers found that the contents of the device could then become accessible via the Internet using the File Transfer Protocol (FTP). Crucially remote users did not appear to need a password in order to gain access.

ASUS Statement

“The update changes the default security setting from unlimited to limited access rights when setting up a FTP server. This change will ensure that the end user doesn’t leave their FTP server unprotected by mistake and also make it easier to understand the implications of the different security options.”

Admittedly most savvy Internet users would know to check such settings and could then adjust them to introduce a password or limit access, although clearly allowing open FTP access by default is certainly not desirable and mistakes could easily have been made.

The vulnerability itself is not fully explained but in theory all the hacker would have needed to gain access to your USB drive, once activated, is your connections IP address and the FTP port (usually port 21). At the time of writing Asus has already issued a new Firmware update for their high-end RT-AC68U model (here) and the other listed routers are due to follow.

ASUS RT-AC68U Firmware version 3.0.0.4.374.573
Modified:
1. Modified AiDisk setup wizard to prevent a potential security issue.
2. Modified USB LED behavior.
3. Improved openVPN performance.

Fixes:
1. Fixed some UI issues.
2. Fixed parental control schedule issues.
3. Fixed openVPN related issues.
4. Fixed CFE nvram check issue.

Additions:
1. Add support USB hub.
2. Add wireless watchdog.