Asustek Computer produces a wide range of technology products ranging from PCs and associated peripherals to routers used by consumers and businesses around the world. A vulnerability was recently discovered in Asuswrt, the firmware used on many Asus branded routers. Once exploited, this vulnerability gives the hacker complete control of the router and ultimately, the entire network. The flaw is actually located within a service called infosvr. Infosvr runs on Asuswrt-powered routers by default and is leveraged by the Asus Wireless Router Device Discovery Utility.
The service listens to all packets sent to the router’s LAN interface through a UDP broadcast on port 9999. Infosvr runs with root privileges – making this vulnerability extremely dangerous. Although hackers cannot exploit this vulnerability from the Internet, a hacker need only take control of a computer within the network or somehow gain access to the LAN using social engineering or brute force hacking to determine the wireless network password.
Routers are perhaps an even more valuable target to hackers than a given PC because once the router has been compromised, every device on that network is now vulnerable to attack.
Even worse, it is much harder – if not impossible – to detect a compromised router because no antivirus programs exist for these devices. Once hackers have taken over an affected router, they can intercept and even modify all Internet traffic within the network. This includes the ability to strip SSL encryption (revealing sensitive information from online banking sessions) and use DNS hijacking techniques to spoof legitimate websites. At the time of this writing, the exact number of routers affected is unknown and until Asus releases a firmware patch for the vulnerability, there is little that can be done to defend against this threat without a fair amount of technical skill.
For instance, the easiest way to block this exploit is to create a firewall rule on the router that blocks UDP port 9999. Unfortunately, this cannot be done from the router’s Web-based administrative panel. Instead, users must connect to the router via Telnet and enter the following command into the command line interface (CLI): iptables –I INPUT –p udp–dport 9999 –j DROP The problem with this method is that it requires a basic understanding of Telnet (which most modern PC users do not have) and the fix is not persistent. That means every time the router restarts, the command must be entered through Telnet. The only other fix available at this time is to install a custom router firmware version such as Asuswrt-Merlin.
This unofficial firmware adds additional functionality to the router and contains a persistent patch for this vulnerability. Unfortunately, installing custom firmware on a router voids the factory warranty and also requires a level of PC knowledge that many users simply do not possess.
Router vulnerabilities are especially dangerous because even after Asus releases an official patch, getting people to actually install it is problematic to say the least. Unlike Windows updates which usually occur automatically, firmware patches for routers must be flashed from within the Web-based Admin panel and many people do not know how to accomplish this. This could allow hackers to take advantage of this vulnerability well after an official patch is released.