The ASUS wireless routers from the RT-series have been found vulnerable to a Man-in-the-Middle attack, as they download updates via HTTP without an encryption protocol, in clear-text, according to a blog post by David Longenecker’s.
“The ASUS RT- series of routers rely on an easily manipulated process to determine if an update is needed, and to retrieve the necessary update file,” Longenecker said. “Since the router downloads via HTTP instead of HTTPS, there is no way to validate that the server at the other end is in fact the ASUS server and not an impostor.”
The ASUS RT router series update flow contains two simple steps. The first downloads a clear-text file list with the latest firmware builds. Then it parses the downloaded file to check for a newer available firmware update. If a new firmware update is available, it passes to step two, when the router downloads the firmware package.
The issue is that an attacker can tamper with both the list and firmware, being able to target its attack on one victim and then hijack sessions or intercept traffic that passes through the router.
The available scenarios are many after the attacker takes control of the router, and all are caused by a simple HTTP connection. This is a mistake from a security standpoint and all connections that provide firmware updates should employ HTTPS with the Transport Layer Security (TLS) protocol.
Vulnerable ASUS router versions are: RT-AC68U, RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R and RT-N56U. The following are suspected to be affected by the same flaw: RT-N53, RT-N14U, RT-N16 and RT-N16R.
ASUS quickly issued an undocumented fix in their latest firmware version that deals with the flaw.
ASUS users are advised to download the updates directly from asus.com and not using the update function from the router GUI.