Asus router flaw leaves users' entire hard drives open to anyone on the Internet

Share on Facebook Tweet Share Reddit Comment
Asus router flaw leaves users' entire hard drives open to anyone on the Internet
Convenience often comes at the cost of security, as demonstrated by Asus routers that come with a feature designed to allow users to access their hard drives' contents from anywhere in the world, but actually leave those drives open to anyone with an Internet connection. First reported by Sweden's IDG.se, the vulnerability has exposed how easy it is for users to unknowingly leave themselves open to malicious attacks, identity theft, piracy, and other security risks. The problem is the direct result of Asus consciously designing its default router configuration to favour convenience over security by not requiring a strong password.

The feature in question, called AiDisk, is designed to give users access to a hard drive plugged directly into a router's USB port. The feature is supported on a number of Asus router models, some of which have been on the market for over a year. All router manufacturers offer similar functionality on certain models.

Users who choose to plug a hard drive into their router might not be aware that Asus uses standard FTP (File Transfer Protocol) to make the drive function as a server, using your router's uniquely identifiable IP address. Such servers can be detected and accessed by anyone with an Internet connection, with very little effort. The routers also broadcast their model numbers by default, further inviting anyone who is familiar with the flaw. Visitors might have a casual interest in your server's contents, or they might have malicious intent-it's only a strong password that can keep them out. Unfortunately, in an effort to make FTP sharing completely transparent to users, Asus selected a default configuration option that does not require a password at all.

News site Thehackernews.com reports that Asus has acknowledged the problem and has committed to releasing a firmware patch for the affected models that will prompt users to configure a suitable password upon activating the feature. However it's impossible to estimate what percentage of affected users will install the patch or even be aware that it exists.

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Jamshed Avari

Jamshed Avari has been working in tech journalism as a writer, editor and reviewer for over 13 years. He has reviewed hundreds of products ranging from smartphones and tablets to PC components and accessories, and has also written guides, feature articles, news and analyses. Going beyond simple ratings and specifications, he digs deep into how emerging products and services affect actual users, and what marks they leave on our cultural landscape. He's happiest when something new comes ...More

BSNL Champion My Phone SM3512, Champion My Phone SM3513 budget Android phones launched
HP Slate 6 Voice Tab smartphone leaked with blurred image, $200 price tag
 
 

Advertisement

 

Advertisement

© Copyright Red Pixels Ventures Limited 2019. All rights reserved.