ASUS routers may be showing your personal files to EVERYONE
One of the main advantages to using a router is knowing that your personal information is kept away from the privy eyes of the Internet, unless you choose to make the data publicly available. A number of ASUS routers, however, are making files stored behind them visible to everyone, which basically renders them useless if security is of concern (which it usually is).
The behavior is present when the AiCloud feature is enabled. It allows users to remotely access files on the network, through a mobile app, including content stored on USB-connected hard drives. The last bit is what is available for the whole Internet to see. Why? Two vulnerabilities, which allow anonymous access to the built-in FTP server and the storing of user names and passwords in plain text, have not been fixed in due time by ASUS, after a security researcher reported their existence to the company in June of last year. Yeah, many months have passed since.
According to ArsTechnica, ASUS has reportedly denied that the first one is even a vulnerability, but rather intended behavior. While such a configuration may have its purpose in public networks, in private scenarios enabling such a permission by default makes no sense from a security standpoint. It is no wonder then that a group of hackers decided to shed light on what this can entail, and as such has published a BitTorrent magnet link to vulnerable content. This whole thing even has a name, ASUSgate. You can check if your IP is among the targeted ones here.
By now you are wondering which ASUS routers are affected. Well, the list includes the RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16 and RT-N16R, according to the researcher who uncovered the two vulnerabilities (check the link in the first paragraph for the whole rundown on the man's findings).
Ironically enough, I decided to buy an ASUS RT-AC66U last year with the sole purpose of speeding up file transfers between my Wi-Fi 802.11 ac-enabled Apple MacBook Air and a 4 TB NAS. Luckily, the latter was not connected via USB to the router nor did I see any new file on it claiming it has been hacked (like others have). Then again, I have no practical way of knowing if my content has been safely stored.
The security researcher offers a couple of workarounds to remedy the problem, but since the man uncovered the findings ASUS has released firmware updates for affected routers that allegedly fix those vulnerabilities. So make sure you grab the latest available version from the company's support site (check the version there first, before relying on the router's built-in firmware-checking feature).
To add more salt to the wound of router manufacturers, a report also reveals Linksys routers have been targeted by a "mass exploit". This occurs on the E1000 and E1200 devices. Undoubtedly, both ASUS and Linksys wish to put February behind them as soon as possible.