ASUS Wireless Routers Vulnerable to Attack from Local Network

Asustek Computer produces a wide range of technology products ranging from PCs and associated peripherals to routers used by consumers and businesses around the world. A vulnerability was recently discovered in Asuswrt, the firmware used on many Asus branded routers. Once exploited, this vulnerability gives the hacker complete control of the router and ultimately, the entire network. The flaw is actually located within a service called infosvr. Infosvr runs on Asuswrt-powered routers by default and is leveraged by the Asus Wireless Router Device Discovery Utility.

The service listens to all packets sent to the router’s LAN interface through a UDP broadcast on port 9999. Infosvr runs with root privileges – making this vulnerability extremely dangerous. Although hackers cannot exploit this vulnerability from the Internet, a hacker need only take control of a computer within the network or somehow gain access to the LAN using social engineering or brute force hacking to determine the wireless network password.

Routers are perhaps an even more valuable target to hackers than a given PC because once the router has been compromised, every device on that network is now vulnerable to attack.

Even worse, it is much harder – if not impossible – to detect a compromised router because no antivirus programs exist for these devices. Once hackers have taken over an affected router, they can intercept and even modify all Internet traffic within the network. This includes the ability to strip SSL encryption (revealing sensitive information from online banking sessions) and use DNS hijacking techniques to spoof legitimate websites. At the time of this writing, the exact number of routers affected is unknown and until Asus releases a firmware patch for the vulnerability, there is little that can be done to defend against this threat without a fair amount of technical skill.

asus infosvr vulnerability

For instance, the easiest way to block this exploit is to create a firewall rule on the router that blocks UDP port 9999. Unfortunately, this cannot be done from the router’s Web-based administrative panel. Instead, users must connect to the router via Telnet and enter the following command into the command line interface (CLI): iptables –I INPUT –p udp–dport 9999 –j DROP The problem with this method is that it requires a basic understanding of Telnet (which most modern PC users do not have) and the fix is not persistent. That means every time the router restarts, the command must be entered through Telnet. The only other fix available at this time is to install a custom router firmware version such as Asuswrt-Merlin.

This unofficial firmware adds additional functionality to the router and contains a persistent patch for this vulnerability. Unfortunately, installing custom firmware on a router voids the factory warranty and also requires a level of PC knowledge that many users simply do not possess.

Router vulnerabilities are especially dangerous because even after Asus releases an official patch, getting people to actually install it is problematic to say the least. Unlike Windows updates which usually occur automatically, firmware patches for routers must be flashed from within the Web-based Admin panel and many people do not know how to accomplish this. This could allow hackers to take advantage of this vulnerability well after an official patch is released.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal