14 DAY TRIAL // A design flaw in the Web administrative panel of some ASUS SoHo routers accidentally exposes the devices to the Internet, even if the owner has configured the router against this type of scenario.
According to independent security researcher David Longenecker, the issue affects all ASUS routers running ASUSWRT firmware, which is open source, GNU/Linux-based router firmware.
You can tell if your router is running ASUSWRT firmware by its make and model. If there's "RT-" somewhere in the router's name, then you should take the time to read this article forward.
Don't disable the firewall
As Mr. Longenecker discovered, there are two settings in the options panel of these routers that can cause issues. You have "Enable Web Access from WAN: No" in the WAN section, and "Enable Firewall: Yes" in the Firewall section.
The trick is that if users disable the device's firewall, this automatically allows external connections to the device's admin panel from the external network (Internet), regardless if the option is set to "No."
The issue at its core relates to how certain configuration lines are placed inside the router's firewall (iptables service), which, when the firewall is turned off, automatically disable the external access protection.
The problem is that when users disable the firewall, the other setting doesn't automatically go to "Yes," nor does the router's admin panel UI show a popup, telling the user they just disabled a key security feature without knowing. Mr. Longenecker has informed ASUS of the issue, and the company is working on a firmware update to correct it.
Over 137,000 ASUS routers are exposed on the Internet
A quick Shodan search has showed Mr. Longenecker that over 122,000 ASUS routers running ASUSWRT firmware allow attackers to access their admin login via HTTP, and another 15,000 devices via HTTPS.
If router owners have not changed the default admin username & password combination, attackers would be allowed to log in and take over their device.
Additionally, even if the router's owner uses a secure custom password, there are still vulnerabilities in older models (that have not been patched) that allow them to bypass the login and eventually take over the device. Like this one, for example.
To avoid getting your router pwned by script kiddies, until ASUS puts out new firmware updates, you should always leave their firewall on and have the "Enable Web Access from WAN" setting left on "No."
