Incident: Asus Routers Vulnerable to Remote Hacking Due to AiCloud Feature

Published Date: 2013-07-16

Postmortem Analysis
Timeline 1. The software failure incident related to vulnerabilities in Asus wireless routers occurred in September and November [24554]. 2. The software failure incident related to the AiCloud feature of Asus' USB-enabled routers happened a month after the review of the Asus router RT-AC66U, which was published in July 2013 [20284]. Therefore, the software failure incidents occurred in: - September and November of an unknown year for the Asus wireless routers vulnerabilities. - August 2013 for the AiCloud feature vulnerabilities.
System 1. Asus wireless routers with AiCloud feature, including models RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, and RT-N16R [Article 24554] 2. AiCloud feature introduced with firmware version 3.0.0.4.220 for Asus routers, specifically affecting RT-AC66U and RT-N66U [Article 20284]
Responsible Organization 1. Asus [24554, 20284] 2. Security researcher Kyle Lovett [24554, 20284]
Impacted Organization 1. Users of nearly a dozen Asus routers, including RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, and RT-N16R were impacted by the software failure incident [24554]. 2. Users of Asus routers RT-AC66U and RT-N66U were specifically impacted by the AiCloud vulnerabilities reported by security expert Kyle Lovett [20284].
Software Causes 1. Vulnerabilities in Asus wireless routers' proprietary AiCloud feature, Cloud Disk, Smart Access, and Smart Sync options, as well as enabling the file-sharing tool Samba, exposed directories on networked drives to hackers [24554]. 2. Introduction of the AiCloud feature by Asus with firmware version 3.0.0.4.220 led to a series of vulnerabilities that could potentially allow hackers to take control of the router remotely [20284].
Non-software Causes 1. Lack of timely response and action by Asus despite being informed about the vulnerabilities by security researchers [Article 24554]. 2. Introduction of new features without thorough security testing leading to the creation of vulnerabilities [Article 20284].
Impacts 1. The software failure incident involving Asus wireless routers left computers and networked drives open to hackers, allowing them to access directories on networked drives using Asus' proprietary AiCloud option [24554]. 2. Enabling features such as "Cloud Disk," "Smart Access," and "Smart Sync" on the routers exposed the vulnerability to hackers [24554]. 3. The vulnerability affected nearly a dozen Asus routers, including popular models like RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, and RT-N16R [24554]. 4. Hackers were able to post a list of more than 13,000 IP addresses gleaned from vulnerable Asus routers, indicating a potentially widespread impact [24554]. 5. The incident highlighted the importance of firmware updates, as Asus released a firmware update to patch the vulnerabilities, requiring manual installation by router owners [24554]. 6. Security researchers emphasized that router vendors need to prioritize security in their software development life cycle to prevent such attacks in the future [24554].
Preventions 1. Prioritizing security in the software development life cycle: Security researchers highlighted that these types of attacks could have been prevented if security was a higher priority in the router manufacturers' software development life cycle [24554]. 2. Timely response to reported vulnerabilities: Promptly addressing reported vulnerabilities by security researchers could have prevented the software failure incident. In this case, the security researcher Kyle Lovett reported the vulnerability to Asus in both September and November but received a delayed and inadequate response from the company [24554]. 3. Regular firmware updates and patches: Regularly releasing firmware updates that patch vulnerabilities and improve functionality can prevent software failure incidents. In the case of the Asus routers, a firmware update was released to address the vulnerabilities, but users had to manually install the update [20284].
Fixes 1. Installing the firmware update that patches the vulnerabilities released by Asus [24554]. 2. Turning off the AiCloud feature on the affected routers until the firmware update is applied [20284].
References 1. Security researcher Kyle Lovett [Article 24554, Article 20284] 2. Asus representative Nick Mijuskovic [Article 24554] 3. Jacob Holcomb, security researcher at Independent Security Evaluators [Article 24554] 4. Asus [Article 20284]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to vulnerabilities in Asus wireless routers has happened again within the same organization. The incident involving vulnerabilities in Asus routers was first reported by security researcher Kyle Lovett in June, exposing hard drives of computers connected to the affected routers [24554]. Lovett later reported another vulnerability to Asus in September and November, but received only a reply of "we'll look into it" from Asus representatives. This incident highlights a recurring issue with security vulnerabilities in Asus routers. (b) The software failure incident involving vulnerabilities in Wi-Fi routers is not unique to Asus. Security researcher Jacob Holcomb mentioned that these types of attacks could be prevented if security was a higher priority in the router manufacturers' software development life cycle. He also pointed out ongoing problems with routers from other manufacturers, citing Linksys as an example of a company that has struggled with vulnerabilities in its Wi-Fi routers [24554]. This indicates that security vulnerabilities in Wi-Fi routers are a widespread issue affecting multiple organizations in the industry.
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in Article 20284, where the AiCloud feature introduced by Asus in firmware version 3.0.0.4.220 for their routers created vulnerabilities that could potentially allow hackers to take control of the router remotely. This indicates a failure due to contributing factors introduced during the system development phase [20284]. (b) The software failure incident related to the operation phase is evident in Article 24554, where vulnerabilities in Asus wireless routers left computers and networked drives open to hackers. The vulnerabilities were related to features like "Cloud Disk," "Smart Access," and "Smart Sync," as well as enabling the file-sharing tool Samba in the router, highlighting a failure due to contributing factors introduced by the operation or misuse of the system [24554].
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident related to the Asus wireless routers' vulnerabilities, specifically with the AiCloud feature, was due to contributing factors that originated from within the system itself. Security researcher Kyle Lovett reported the vulnerabilities to Asus, indicating that enabling certain features like "Cloud Disk," "Smart Access," and "Smart Sync" exposed the system to hackers [24554]. Additionally, firmware updates were released by Asus to patch the vulnerabilities within the routers [20284]. (b) outside_system: The software failure incident was also influenced by contributing factors that originated from outside the system. Hackers were able to exploit the vulnerabilities within the Asus routers to access directories on networked drives, indicating external threats to the system [24554].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: - The vulnerability in Asus wireless routers that left computers and networked drives open to hackers was due to flaws in the routers' software, specifically related to features like AiCloud, Cloud Disk, Smart Access, and Smart Sync [24554]. - The AiCloud feature introduced by Asus in firmware version 3.0.0.4.220 created vulnerabilities that could potentially allow hackers to take control of the router remotely [20284]. (b) The software failure incident occurring due to human actions: - Security researcher Kyle Lovett reported the vulnerabilities in Asus routers to the company, but Asus did not address the issues promptly despite being informed multiple times [24554]. - Asus released firmware updates to patch the vulnerabilities in the routers, indicating a response to the human action of reporting and addressing the security flaws [20284].
Dimension (Hardware/Software) hardware, software (a) The software failure incident related to hardware: - The vulnerability in Asus wireless routers that allowed hackers to access directories on networked drives was due to a hardware-related issue. Enabling features such as "Cloud Disk," "Smart Access," and "Smart Sync" in the routers exposed the vulnerability [24554]. - The AiCloud feature introduced by Asus in their routers created vulnerabilities that could potentially allow hackers to take control of the router remotely. This feature was added with firmware version 3.0.0.4.220, indicating a hardware-related issue [20284]. (b) The software failure incident related to software: - The vulnerabilities in Asus wireless routers were exploited by hackers due to software-related issues in the router's firmware. Asus released a firmware update to patch the vulnerabilities, indicating a software failure incident [24554]. - The AiCloud feature introduced by Asus in their routers created vulnerabilities that could potentially allow hackers to take control of the router remotely. Asus addressed these vulnerabilities through firmware updates, highlighting a software-related issue [20284].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident reported in the articles is malicious in nature. Security researcher Kyle Lovett discovered vulnerabilities in Asus wireless routers that could allow hackers to access directories on networked drives using Asus' proprietary AiCloud option. Lovett reported these vulnerabilities to Asus, but the company did not address the issue promptly, leading to suspected hackers posting a list of more than 13,000 IP addresses gleaned from vulnerable Asus routers [24554]. Furthermore, the introduction of the AiCloud feature by Asus with firmware version 3.0.0.4.220 created a series of vulnerabilities that could potentially allow hackers to take control of the router remotely. This was first reported by security expert Kyle Lovett, indicating that the software failure incident was a result of malicious intent to exploit these vulnerabilities [20284].
Intent (Poor/Accidental Decisions) poor_decisions, accidental_decisions (a) The software failure incident related to poor decisions can be inferred from the articles. In Article 20284, it is mentioned that Asus introduced the AiCloud feature with firmware version 3.0.0.4.220, which added cloud-based sharing and mobile-app support for the router's USB-connected storage. However, this feature also created vulnerabilities that could potentially allow hackers to take control of the router remotely. This indicates that the decision to introduce the AiCloud feature without adequate security measures in place led to the software failure incident [20284]. (b) The software failure incident related to accidental decisions can be inferred from the articles as well. In Article 24554, it is reported that security researcher Kyle Lovett discovered vulnerabilities in Asus wireless routers that left computers and networked drives open to hackers. Lovett reported these vulnerabilities to Asus in September and November, but Asus did not address the issue promptly. This delay in addressing the reported vulnerabilities can be seen as an accidental decision or oversight on the part of Asus, contributing to the software failure incident [24554].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident related to development incompetence is evident in the articles. In Article 24554, it is reported that security researcher Kyle Lovett discovered vulnerabilities in Asus wireless routers that left computers and networked drives open to hackers. Lovett reported these vulnerabilities to Asus representatives in September and November, but received only a vague response of "we'll look into it." This lack of prompt action by Asus despite being informed about the vulnerabilities multiple times showcases a failure in addressing security issues promptly, indicating a level of development incompetence [24554]. (b) The software failure incident related to accidental factors is also present in the articles. In Article 20284, it is mentioned that the AiCloud feature introduced by Asus in firmware version 3.0.0.4.220 for their routers inadvertently created vulnerabilities that could potentially allow hackers to take control of the router remotely. This unintended consequence of adding a new feature led to security risks, highlighting a failure caused by accidental factors [20284].
Duration temporary (a) The software failure incident in the articles seems to be temporary. The vulnerabilities in the Asus routers, particularly related to the AiCloud feature, were identified and reported by security researchers. Asus responded by releasing firmware updates to patch the vulnerabilities, indicating that the failure was not permanent but rather due to specific circumstances that were addressed through software updates [24554, 20284].
Behaviour crash (a) crash: The software failure incident described in the articles can be categorized as a crash. This is evident from the vulnerabilities in Asus routers that allowed hackers to access directories on networked drives, leading to a system failure where the intended functions were not performed due to the security breach [24554]. Additionally, the introduction of the AiCloud feature in Asus routers created vulnerabilities that could potentially allow hackers to take control of the router remotely, indicating a crash in the system's security [20284].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, non-human, theoretical_consequence, other (a) death: People lost their lives due to the software failure - There is no mention of any deaths resulting from the software failure incident in the provided articles [24554, 20284]. (b) harm: People were physically harmed due to the software failure - There is no mention of any physical harm to individuals due to the software failure incident in the provided articles [24554, 20284]. (c) basic: People's access to food or shelter was impacted because of the software failure - There is no mention of people's access to food or shelter being impacted by the software failure incident in the provided articles [24554, 20284]. (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident led to vulnerabilities that could potentially allow hackers to access directories on networked drives, exposing data on computers connected to the affected Asus routers [24554]. (e) delay: People had to postpone an activity due to the software failure - There is no mention of people having to postpone activities due to the software failure incident in the provided articles [24554, 20284]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident affected the security of Asus wireless routers, potentially exposing them to hackers [24554, 20284]. (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident resulted in real consequences such as data exposure and vulnerabilities in the affected Asus routers [24554, 20284]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The articles discuss potential consequences such as hackers accessing directories on networked drives and taking control of routers remotely due to the vulnerabilities [24554, 20284]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The software failure incident highlighted the importance of router vendors prioritizing security in their software development to prevent such vulnerabilities and attacks [24554].
Domain information, utilities (a) The software failure incident reported in the articles is related to the information industry. The incident involves vulnerabilities in Asus wireless routers that could potentially allow hackers to access directories on networked drives, compromising the security of the information stored on those drives [24554, 20284]. (g) The incident also has implications for the utilities industry as it involves vulnerabilities in Wi-Fi routers, which are essential for providing internet connectivity to homes and businesses. The security problems with these routers highlight the challenges faced by router manufacturers in keeping hackers out of connected home products, which are crucial for accessing utilities like power, gas, and water services [24554]. (m) The software failure incident could also be related to the technology industry, given that it involves security vulnerabilities in networking devices such as routers. These vulnerabilities highlight the ongoing challenges in ensuring the security of technology products and the importance of addressing security issues in the software development life cycle [24554, 20284].

Sources

Back to List