Asus router warnings on privacy and security

I ran across a most unusual router review today, written by Daniel Aleksandersen.

For one thing, it was not a review of a specific model (though the author uses an Asus RT-AC87U)/. Instead it reviewed ASUSWRT, the stock firmware (router operating system) used in Asus routers. Think of it as a review of General Motors rather than the Buick Regal. As such, there was none of the usual focus on Wi-Fi speed and range.

And, while most reviews are written after a brief testing period, it was obvious that Aleksandersen has lived with his router for a long time.

Perhaps most importantly, the router in question was paid for by Aleksandersen, which left him free to say negative things about it. Too many reviews are written about routers loaned, or given, to the reviewers, which decreases the likelihood of negative comments.

TREND MICRO

To me, the most significant issue cited by Aleksandersen had to do with privacy. Asus routers include software from Trend Micro that comes into play when using any of these features: Apps/traffic Analysis, Bandwidth Monitor, Network Analyzer, Network Protection (AiProtection), Parental Controls, Quality-of-Service, Web History and Network Map.

Use of these features is governed by a EULA with a big gotcha - data passing through the router may be sent to Trend Micro

If the router thinks the URL of a visited website might be fraudulent, it sends the URL to Trend Micro. Executable files, or content that is identified as potential malware, is also sent to the mother ship.

So too, email messages may be forwarded by the router to Trend Micro. The EULA warns that "Forwarded Data may also include email messages identified as spam or malware that contains personally identifiable information or other sensitive data stored in files on Your router."

If that's not sufficient, there's even a dessert after this main course.

Not only does the router owner have to agree to all this, but, according to Aleksandersen,

The EULA also contains language holding the router’s owner responsible for notifying their friends, family, and house guests who connect to the internet through the ASUS router that any network activity may be recorded and shared with Trend Micro.

Writing in Techworld, John Dunn had raised this very same issue back in 2015. 

Owners might want to have a close look at the End User License Agreement (EULA) for this system, which is where privacy concerns rear their head .... Trend micro will have access to all websites and services visited while the software is enabled ... This isn't to criticise the router for offering this form of security simply to underline that it comes with a level of passive intrusion some might baulk at in other contexts.

Dunn points out that ISPs can collect the same data. But, that has been common knowledge for decades and, in contrast, no one expects their router to phone home their activities. Also, there is a defense against ISP spying, both Tor and a VPN can prevent the ISP from seeing anything.

FIRMWARE

When it comes to firmware, Asus seems firmly planted in the bad old days. The owners of Asus routers are burdened both with learning about software updates on their own, and then manually installing them. Aleksandersen writes:

... there is no automated updates nor a system for notifying them of any updates. There is no push-notification to the mobile app, email list where you can be notified, appcast (an RSS feed with updates), or any other method to be notified of updates. Users are expected to regularly visit the router’s web administration interface or app and click "check for updates."

The most interesting aspect of this is that the U.S. government has mandated that it not be this way. In February 2016, the FTC reached a settlement with Asus regarding the poor security of their routers. At the time, the FTC said:

ASUS must notify consumers about software updates or other steps they can take to protect themselves from security flaws, including through an option to register for direct security notices (e.g., through email, text message, or push notification).

Here we are, over a year later, and, according to Aleksandersen, there is still no passive notification of firmware updates.

And, while on the subject, the FTC noted last year that "... the router’s software update tool - which allowed consumers to check for new router software - often told consumers that their router was on the most current software when, in fact, newer software with critical security updates was available." 

UPDATE May 8, 2017: Someone from Asus claimed that this currently works correctly. 

BUGS

Another issue Aleksandersen raised is whether Asus can create a secure product. He writes

The number of remote access and arbitrary code execution vulnerabilities that regularly shown up in ASUSWRT’s changelog is worrying. The same type of attacks is fixed in release after release. Don’t get me wrong — bugs will happen! However, many of the issues ASUS have to repeatedly fix would have turned up early during a security audit. They’re the kind of issues you’d see informatics students try to identify and exploit as part of a training assignment.

To me, this is nothing new, and security is why I suggest avoiding all consumer routers

It's also not new for Asus. Part of the February 2016 agreement between Asus and the FTC requires Asus to "establish and maintain a comprehensive security program subject to independent audits for the next 20 years."

AND THIS

Aleksandersen had quite a few other gripes too.

For example, if you use the OpenVPN server, then the next time your ISP assigns the router a new public IP address, you won't be able to connect to the router when traveling. Why? The OpenVPN client configuration always refers to the router by its public IP address, it can not use a Dynamic DNS name.

And how's this for strange quirk: "One minute to midnight every day, the router turns off a seemingly random set of features to observe a one-minute break from user demands." You can't make this stuff up. 

He was also concerned about emails the router  can send to notify the owner about certain conditions. 

This requires you to save your email password in plain-text on the router and thus exposing it to anyone exploiting one of the many known remote access vulnerabilities. This is a bigger security concern than these notification emails could ever make up for.

His minor gripes include that the web interface incorrectly warns that the router can handle a maximum of 253 devices, that the web interface does not accepted pasted data (annoying for MAC addresses) and that many of the translations to English are poor.

Before buying an Asus router, I suggest reading the full article to judge for yourself. Or, for comparison, read my somewhat long recommendation for the Pepwave Surf SOHO router

UPDATE: May 8, 2017. Someone from Asus pointed out that they offer several different ways for a router owner to upgrade the firmware through both proactive and passive means. For example, the Asus router app does push notifications of firmware updates. Also, the setup wizard checks for new firmware when the router is initially put into service. And, they point out that they have passed recent audits in regards to their agreement on user notifications.

FEEDBACK
Get in touch with me privately by email at my full name at Gmail. Public comments can be directed to me on twitter at @defensivecomput.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon