Darknet Diaries - Ep 5: #ASUSGATE
Episode Date: November 1, 2017Security researcher Kyle Lovett bought a new Asus router in 2013. He found it was riddled with security vulnerabilties. He set out on a mission to resolve these vulnerabilities not only for h...is own router, but for thousands of others who were also vulnerable.
Transcript
Discussion (0)
How many zero days have you found?
It doesn't really matter.
I don't really keep count, but I guess probably over 100 I sort of.
100 zero days you think you might have found?
Well, I don't know if I'd count them as zero days.
I mean, yeah, they had been found before, at least disclosed before.
But, you know, sometimes an application could have three or four things wrong with it that hadn't been disclosed before.
So, you know, I'm not some kind of super hacker or anything.
But, yeah, I guess it's about that.
Anyone can do it.
It just takes a little bit of practice
and a lot of determination.
This is Darknet Diaries.
True stories from the dark side of the internet.
I'm Jack Recider.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore. Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites and continuously works to keep it off. Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs to sell. I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team
when it comes to my privacy.
Take control of your data
and keep your private life private
by signing up for Delete Me.
Now at a special discount
for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan
when you go to joindeleteme.com
slash darknetdiaries
and use promo code
darknet at checkout. The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries
and enter code darknet at checkout. That's joindeleteme.com slash darknetdiaries. Use code Darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work. If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills
Information Security world-class in security training. You can learn things like penetration
testing, securing the cloud, breaching the cloud, digital forensics, and so much more. But get this,
the whole thing is pay what you can. Black Hills believes that great intro security classes
do not need to be expensive, and they are trying to break down barriers to get more people into
the security field. And if you decide to pay over $195, you get six months access to the MetaCTF
cyber range, which is great for practicing your skills and showing them off to potential employers.
Head on over to blackhillsinfosec.com to learn more about what
services they offer and find links to their webcasts to get some world-class training.
That's blackhillsinfosec.com. Blackhillsinfosec.com.
Home is private and personal. Home is safe and secure.
Home is protected and intimate.
We don't allow strangers to simply walk into our home
and take our most private things like bank statements or photographs.
We know when our door is locked and when our window is shut.
And we know this keeps strangers out.
But sometimes there are other ways strangers can enter our home
and take our
most precious things. And these strangers can do this from thousands of miles away.
My name is Kyle Lovett. I am a senior penetration tester right now with Ferrocode.
Kyle's day job is penetration testing. He is paid to test the security of a company to see if there's
a way a hacker can get into the network.
But that's not what this story is about.
This story is about the time in 2013 when Kyle bought a new router for his home.
Yeah, I was looking at the new Asus router, the N66.
Kyle's friend had the new Asus N66 home router and recommended it to Kyle.
This was not a cheap router. It was one of the high-end ones, coming in at just over $300. There were the hottest routers on the market,
or at least one of the hottest routers on the market. I mean, no one can deny the hardware
on it is quite impressive. So it was very popular, especially around the IT crowd.
You know, a lot of IT folks had those routers in their home. So Kyle bought it and took it home.
Something struck me as a little odd when I got home and was looking through the actual product.
As he was setting up his new router, he was noticing that it had a lot of features on by default.
Too many features.
A VPN installed on it, an FTP server installed on it, Samba for the file sharing internally
in the network.
It also had several different web servers running on it.
And I was like, this can't be safe.
This can't be.
There was something got to go here because there's so much on it.
So yeah, it just seemed like it was too good to be true kind of thing.
First thing he noticed is the default username was admin and the default password was also admin. At no point was he prompted to change this password. So for
many people who own this device, they likely didn't change their password on it and it was
left as admin admin. These kind of weak default settings often upsets Kyle. He changed his default
password and continued setting up his new router.
So I just started fiddling with it like I would do a normal web app pen test.
Port 80 had the administration interface with it,
and then port 443 had the AI cloud or the cloud interface with it,
which is what I kind of concentrated on.
One of the features he enabled was an FTP server.
He plugged in an external hard drive into the router and enabled the FTP server.
This feature turns the router into a networked storage device.
This allowed users to store backup files, their music collection, personal photos, past tax records,
or whatever people put on their external hard drives.
The thing that caught my interest is when I turned FTP on, as I do kind of once in a while, I scan my own IP address.
I realized that port 21 was open with anonymous access.
And I was like, whoa, whoa, hold on here.
What he found was not only could he access his personal photos from within his house through the router,
but because the router was on the internet with a public IP address,
it was sharing all his data to the entire world.
And to make matters worse, there was no password needed to access his files.
If a hacker knew you had this router and you had plugged a hard drive into it,
that hacker could see all the files you had on the hard drive from thousands of miles away.
Yeah, yeah, I mean I plugged in one of my external hard drives to the back of it and
that's really what got me piqued, like, hold on.
Once Kyle found one security issue with the router, he began using his penetration testing skills to see if he could find something else.
What I did was I just started looking and fuzzing. I didn't even really need to fuzz all that much.
All of the file paths were right there. I kind of realized what I was looking at.
Using a few simple tools, he found the directory structure and where certain files were stored.
One of the files he found was a file that contained the username and password of the router itself.
What startled him about this was that the password was stored in clear text, just a plain file.
I literally could go to my browser and browse up in the browser,
HTTPS IP address forward slash SMB forward slash TMP forward slash LIDP,
which was the name of the web server they're using, permissions.
When you do that, it drops a text file for you that has admin
and then whatever their password would be, admin, admin,
if they didn't change their default password.
That only took me maybe 20 or 25 minutes to find of testing,
and that wasn't even really hard fuzzing, smart fuzzing,
or looking at any kind of vulnerabilities.
This means any guest within his home could easily find the password to Kyle's router.
Someone could just use a regular browser and go to the URL and see his password.
No authentication was required to see this.
But Kyle thought about this a little longer.
Hold on, hold on.
Can I get to this from the outside when port 443 is open? Because I
enabled the AI cloud service, which is their own particular cloud service that has a built-in,
they do things like you can sync your iTunes to it, you can sync your phone to it, you know.
And I was able to get to it from the outside as well, the ClearTex password.
And then I called another friend who lived quite far away and asked him if I could.
I knew he had one as well. He actually recommended it to me.
And I said, can I look at yours?
And sure enough, I was able to get his ClearTex password right off the bat.
And that was kind of scary. So now he realized that if anyone enabled
the AI cloud feature of this router,
then anyone on the internet
can easily find the password to this router.
So you could literally create a list
of all of the ACES routers there are in the world
with that directory structure
and just snag each one of them
that had port 443 open.
He was becoming increasingly concerned about the security of this router.
He was running it with the latest patches and updates,
and it had all these security problems.
He began researching whether this was a known bug or not.
Yeah, it kind of scared me a little bit because I knew how popular this router was.
And I quickly looked online to see if anyone else had found it,
hoping somebody else had found it. And when I didn't find anyone else had found it, hoping somebody else had found it.
And when I didn't find anyone else had found it, I was like, uh-oh, I better spend a little more time on this.
At this point, Kyle had a long list of security flaws he found in this router.
These issues were...
The ClearTex password, the unprotected directory structure.
You had the FTP problem, Samba for the file
sharing internally in the network, which was one of my other findings. Then you had the
bigger problem of the default passwords, which was admin, admin.
The router also has a VPN built into it, which by combining these vulnerabilities, an attacker
can gain access to your entire home network, just as if someone is in your house using your Wi-Fi.
It was disturbing, to say the least.
It became evident to Kyle that anyone with this router has a very insecure home network.
Kyle used a website called Shodan to try to understand the size of this problem.
Shodan is a website that scans the entire internet to see what IPs are alive and
what ports are open. It also tries to get the type of system that's running on those IPs.
Kyle found at least 50,000 people were running the vulnerable FTP server.
You know, the 50, 60, 70,000 that were vulnerable, that was just to the FTP. You're talking two to
three times that amount to the port 443 and then the port 80 default password.
So that was that was the really disturbing thing is that attackers could use it as a one stop shop to dump all their whatever malicious files they were sharing or downloading.
It even came with a torrent download little program. And then they could use the VPN of these people, whoever were the end user wares, whatever they were, to then kind of proxy their attacks or their malicious deeds online furthermore.
Kyle was now understanding the massive size of this problem.
This high-end, expensive router that he had purchased was full of glaring security vulnerabilities
and bugs that were not yet known to the vendor or discussed publicly.
It made over 100,000 people vulnerable to attacks in their own home.
Attacks such as taking their files, accessing internal computers, controlling the user's
router, or using the router to wage attacks in other systems.
And the end user, until their router started going down,
I doubt would ever have the knowledge that anything was happening to them at all.
When software has security bugs in it and the vendor is not aware of the problem,
this is called a zero-day vulnerability.
It's called a zero-day because that's how many days since the vendor has been aware of the problem.
Once the vendor is aware of the problem, it's no longer a zero day,
and the vendor can work on releasing a fix.
Now put yourself in Kyle's shoes for a moment.
You have just found numerous unfixed bugs
in a very popular home router.
This bug allows you to access the private networks
of over 100,000 homes around the world.
Not only can you easily get into the home network,
but you can also have
the ability to see all their files and use their router as a proxy. What would you do if you had
this kind of knowledge and capability? Would you go around looking at everyone's files to see what
they had? Would you try to sell these exploits on a dark market for some Bitcoin? How would it make
you feel to be in this situation? I was kind of angry that I had bought
this thing with this glaring vulnerability. So I wanted to get ACES on board right away with it,
get their InfoSec group or whatever the team they had doing security to fix it right away,
because it affected more than just a few people. For Kyle, the choice was easy.
Not even once did he try to view someone else's files or use this knowledge for anything malicious.
He simply wanted this bug fixed to help improve security for thousands of people.
In fact, he was a customer too, and he wanted the bug fixed for his own router.
So he began trying to figure out how to contact Asus, the makers of this router. So I think it was around February or March, I sent my first email
and I hadn't done much in the way of public disclosures before. And whenever I had found
something, it was usually I would send an anonymous note in, which I did for about a month.
Didn't get any response back to my anonymous email account. I had a fake name in there.
And I said, you know what, I'm going to use my real name and my real email address because this is that important.
So Kyle sent ACES another email, this time using his real name.
Three weeks go by.
Still, no response from ACES.
So Kyle sends them another email in May.
They did respond and they say, okay, we'll take a look at it.
Kyle was somewhat relieved to have finally gotten a response.
But he wasn't going to be satisfied until the fix was released.
And he waited two more weeks,
which has now been two months since he first notified them of this problem.
There's still no bug fix or press release telling customers that this problem exists.
In fact, Asus hasn't even confirmed they see a problem yet.
He was starting to lose patience with them.
You know, I sent another email and then another couple emails after that.
I wasn't trying to hound them.
I just wanted them to say, you know, yeah, we confirmed that this is a vulnerability
because I just kind of wanted to forget it and move on.
So after about a month of that, I decided to go with a partial disclosure online to
kind of prod them to, you know, move a little bit faster because they weren't warning their
customers and people were just going out and buying these routers. What Kyle decided to do
was post the bug he found publicly online for anyone to see. This is a hard decision to make.
On one hand, he's notifying the customers there's a bug in their router, which lets strangers access online, for anyone to see. This is a hard decision to make.
On one hand, he's notifying the customers there's a bug in their router,
which lets strangers access their router and connect to their drives.
But on the other hand, he's going to be giving keys to hackers,
which they can use to enter thousands of people's homes.
What I know, as far as being an individual independent researcher,
my voice doesn't carry a lot of weight. Um, so when I find something,
um, individually and the vendor doesn't want to fix it or they don't care about it, the only tool
we really have at our discretion, um, you know, unless you, you're really connected in with some
reporters or something, but it is to embarrass them, embarrass them into fixing the bug.
And unfortunately, embarrassing them sometimes means
giving a proof of concept that this is truly a bug. And here's the proof of concept. And yes,
I know the bad guys are also going to see this proof of concept, but some vendors just don't care
until the PR hits them. When the PR hits and the bad press hits and it gets out there that they
have a buggy application or a buggy router or switch or whatever it is, then they get moving on fixing it.
And it's a dangerous thing for us to do because we get – I've had lawsuit threats before.
And it doesn't feel too good to know that because you disclose something, people have gone and exploited it.
But as I said to – I've told my wife and several other people.
I don't break the software applications. I would be impossible to do.
I only point out where it's already broken.
This concept of posting a security vulnerability
publicly for the world to see
is called full disclosure.
This topic is often debated in the security community.
Kyle was hesitant to share all his findings with the public, though.
So I went with a partial disclosure,
not really getting into details about what it was,
but saying what it could do.
And I briefly mentioned the FTP issue,
but I didn't go into depth about it.
So now Kyle watched and waited for ACES to respond.
Three more weeks went by.
It's now been four months since he first brought this to their attention, and they still haven't
even confirmed they agree it's a flaw. Kyle decided to take it a step
further. And that's when I went on there and I put
one disclosure about the
ClearTex password, which got picked up. A bunch of outlets picked it up and they kind of ran from
there crazy. I didn't mention the FTP thing because I thought that was really damaging if,
you know, all of a sudden I just threw those 70,000 people under the bus.
I mean, I know full disclosure really should be full disclosure.
And, you know, today I probably would have done it a little differently.
Security blogs, websites, and news outlets saw Kyle's disclosure and began writing articles about the glaring security flaw.
They were able to articulate exactly how bad this issue was.
Customers began getting upset and demanding Asus to fix the problem.
That got them in gear to at least fix a couple of the issues.
But the FTP issue remained unfixed
through August and September.
So Kyle emailed them again.
This time, Asus connected Kyle with someone from PR
who's also a liaison to developers.
He said, okay, we'll take a look at it. But this is, this is by design. This is by design.
This, we call it, and I kid you not, infinite sharing. This is the, our infinite sharing.
I don't know, I guess you would call it, I don't know, an upsell of something that it was supposed to be so you could share with your everybody.
And I said, everybody, like everything on your hard drive could be shared with them.
This response did not satisfy Kyle.
I was like, oh, come the F on. Jesus Christ, no.
But, you know, I just let it go at that point because they weren't going to fix it.
They knew about it.
But, you know, there's really sometimes you can't really do anything.
This episode is sponsored by SpyCloud.
With major breaches and cyber attacks making the news daily,
taking action on your company's exposure is more important than ever.
I recently visited SpyCloud.com to check my darknet exposure and was surprised by just how much stolen identity data criminals have at their disposal.
From credentials to cookies to PII.
Knowing what's putting you and your organization at risk and what to remediate is critical for protecting you and your users from account
takeover, session hijacking, and ransomware. SpyCloud exists to disrupt cybercrime with a
mission to end criminals' ability to profit from stolen data. With SpyCloud, a leader in identity
threat protection, you're never in the dark about your company's exposure from third-party breaches,
successful phishes, or info-stealer infections. Get your free
Darknet exposure report at spycloud.com slash darknetdiaries. The website is spycloud.com
slash darknetdiaries. October passes. November passes. December and January pass.
At this point, all the bugs Kyle found were public knowledge,
partially from the clues he mentioned and partially because of the extra attention on ACES.
The vulnerabilities he found were present on ten different ACES router models.
Knowledge of this vulnerability continued to spread around the internet.
Unwanted strangers were now going around
looking into people's files.
It's a high probability that every ACES FTP server
was accessed by multiple strangers at this time.
They probably looked through the files
and took anything that looked interesting
and even uploaded files as a stash point.
An unknown group of people tried to take matters into their own hands.
They did a scan on the internet and looked for all vulnerable Asus routers
and found just over 10,000 IPs that were running the anonymous FTP server.
They accessed each one of these routers and left a note.
It said,
Warning. You are vulnerable.
This is an automated message sent to everyone who is affected.
Your Asus router and your documents can be accessed by anyone in the world with an internet connection.
Solution. Completely disable FTP and AI cloud immediately.
A note was signed by SlashG.
This may mean the hackers originated from the technology board on 4chan,
which uses SlashG as their name.
The note also called this incident, AsusGate.
Let's try to understand the feeling of being a victim to this.
Imagine you go to sleep at night in your nice, cozy, safe, warm bed
and sleep peacefully through the night.
You wake up, walk into the bathroom,
use the toilet,
and when you look in the mirror,
there's a note written on it
telling you there has been a door open
in your home for eight months
and anyone can walk in.
The creepiness feeling you get
when you realize someone has been in your router
looking at your files is unexplainable.
It's a feeling of being violated, and it's horrible.
Asus customers were outraged that their hard drives and files were accessed.
Now because the FTP server did not have a password on it, it's questionable whether accessing it is illegal or not.
If there's no restriction keeping people out, then some laws say it's
legal to access it. The hackers did not use any special tool or bypass or hack or trick
to access the files. They used a standard FTP client, and no password was required to do what
they did. And since ACES said this was a feature and not a security bug, And it's even more likely that this act was not criminal.
That got ACES back in gear, but ACES contacted me like I had done it.
In fact, a couple of people were like, oh, so why did you do that? I'm like, I didn't do that.
Some other group did.
They had good intentions.
They were just dropping a text file on their FTP,
but I certainly wouldn't have done it in that manner if I had done something
like that. The news of the hackers uploading notes to people's routers made its way to major
news networks. In fact, Kyle was even interviewed by CNN at one point to explain the situation.
He was nervous about the interview and was impressed at how big the news had become.
It got fairly big and a little concerning for my first disclosure publicly, you know.
Eventually, ACES fixed all the bugs Kyle reported.
But after that, Kyle found even more bugs in their fixed versions and reported them too.
Eventually, ACES resolved these issues too.
A few years later, in February 2016, the United States Federal Trade Commission filed a case against ACES.
The FTC believed a law may have been broken by ACES. Five months later, a verdict is reached.
The FTC saw proof that over 10,000 customers had their data accessed by an unwanted intruder.
The FTC said ACES was not addressing security issues in a timely manner.
ACES settled on the case, and the FTC approved the following orders that ASIS must comply with.
ASIS must not mislead their customers about security flaws.
They must clearly notify their customers publicly when a security update is available.
They must conduct security audits on their products.
This includes penetration testing, employee training, code reviews, risk assessments,
and more. The security audits must be submitted to the FTC to prove they have taken place. If
ACES failed to comply with any of these orders, they will be fined $16,000 for each violation.
And the harshest part of the FTC orders is that the FTC is requiring audits to continue for the next 20 years.
ACES has to comply with these orders until 2036.
To this day, there are still 2,000 to 3,000.
And it's how many years later?
We're talking three, three and a half years later.
If you go on a showdown, you'll see 2,000 to 3,000 people still have the old
firmware on that exposes their entire FTP and therefore all of their internal hard drives
they have plugged into the back of that router to the world as an anonymous read-write access,
which is quite scary.
Thousands of people remain vulnerable still because they simply haven't patched their
router.
There's a fix available, but they either aren't aware of it or don't care to fix it. If you have an Asus router, it's a good idea to keep it
up to date and patched up. There are now new methods for security researchers to work with
vendors to fix these problems. Some companies will offer a bounty reward for any security bugs found.
These bounties can result in researchers making thousands of dollars by finding a single vulnerability. For the record, Kyle never did ask for bounty reward, and nor
was he offered any bounty reward for his findings in the ACES routers. The Department of Homeland
Security has a branch called the U.S. Computer Emergency Readiness Team, or U.S. CERT.
U.S. CERT has really stepped up its game, and a lot of people can now go to U.S. CERT who will do that work for them, that will get in touch with the vendor and do the disclosure and do it publicly.
So thank them for really stepping up and helping a lot of us.
So I don't really have to do full disclosure hardly anymore because I can go to U.S. CERT on most items and say, hey, can you help us out here?
I've been trying to go with this vendor.
They don't want to be responsive and kind of put the ball in their court
because they're working with DHS.
They're working with MITRE and some other people that to,
to, to do that kind of work for the community.
I'm curious, Kyle, what home router do you use today?
Oh, right now I have the Xfinity, the Xfinity.
They actually have two models out one for 100 megabyte streaming and one for the regular size streaming, which I
actually found a vulnerability with because the actual firmware of this and the router hardware
itself was actually made by Cisco, who I disclosed three zero days on those. It sounds like no matter
where Kyle looks, he finds bugs in these home routers
and even business class routers.
I think they've still got a long way to go.
And I still think that security is an afterthought
in most of the vendors
until that mentality changes
and until they really put some thought
into just getting some good pen tester
to test their product.
We're still going to continue to see these things.
You've been listening to Darknet Diaries.
For show notes and links, check out darknetdiaries.com.
Music is provided by Ian Alex Mack, Kevin McLeod, and Tabletop Audio.
10-1-10-2-10-3-10-4-10-5-11-3-11-5-12-2-12-4-12-5-13-1