Asus Goes Mute As Hackers Covertly Install Backdoors Using Company Software Update

from the supply-chain-shenanigans dept

According to new analysis by Kaspersky Lab, nearly a million PC and laptop owners may have installed a malicious ASUS software update that embedded a backdoor into their computers without their knowledge. According to the security firm, state-sponsored hackers (presumed to be China) managed to subvert the company's Live Update utility, which is pre-installed on most ASUS computers and is used to automatically update system components such as BIOS, UEFI, drivers and applications.

The malicious file was signed by a legitimate ASUS digital certificate to hide the fact that it wasn't a legitimate software update from the company, with an eye on a very particular target range:

"The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list."

According to Kaspersky, over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time. And while Symantec has confirmed the problem and stated it found 13,000 computers infected with the backdoor, Kaspersky estimates the total number of impacted PC users could be as high as a million.

For its part, Asus isn't helping matters by going entirely mute on the subject. Motherboard was the first to report on the hack (in turn prompting Kaspersky's acknowledgement). But Asus apparently thought that silence was a better idea than owning the problem, confirming the data discovered by researchers, or quickly and accurately informing the company's subscribers:

"This attack shows that the trust model we are using based on known vendor names and validation of digital signatures cannot guarantee that you are safe from malware,” said Vitaly Kamluk, Asia-Pacific director of Kaspersky Lab’s Global Research and Analysis Team who led the research. He noted that ASUS denied to Kaspersky that its server was compromised and that the malware came from its network when the researchers contacted the company in January. But the download path for the malware samples Kaspersky collected leads directly back to the ASUS server, Kamluk said.

Motherboard sent ASUS a list of the claims made by Kaspersky in three separate emails on Thursday but has not heard back from the company."

Yeah, hiding your head in the sand should fix everything. While this hack specifically focused on supply-chain issues, Asus is no stranger to privacy scandals. The company was given a hearty wrist slap by the FTC a few years back for selling routers with paper-mache-grade security. As part of that deal, Asus was required to agree to establish and maintain a comprehensive security program subject to independent audits for the next 20 years. Apparently that didn't help much.

Filed Under: breaches, cybersecurity, hacks, response, software updates, supply chain attack
Companies: asus

Despite New FCC Rules, Linksys, Asus Say They'll Still Support Third Party Router Firmware

from the apocalypse-averted dept

The apocalypse for those who like to tinker with their router firmware may be postponed.

Last year we noted how the FCC updated router and RF device rules for safety reasons, stating that some illegally modified router radios operating in the unlicensed bands were interfering with terminal doppler weather radar (TDWR) at airports. The rule changes prohibited tinkering with the just the RF capabilities of devices. But some sloppy FCC language worried tinker advocates and custom-firmware developers, who feared that because many routers have systems-on-a-chip (SOC) where the radio isn't fully distinguishable from other hardware -- vendors would take the lazy route and block third-party firmware entirely.

And, at least with some companies, that's exactly what happened. TP-Link for example stated that it would be preventing custom router firmware installations with gear built after June 2016, blaming the FCC for the decision while giving a half-assed statement about respecting the hobbyist community's "creativity." Again: the rules don't mandate anything of the kind; TP-Link just decided to take the laziest, most economical route.

Fortunately, not all hardware vendors are following TP-Link's lead. Linksys has announced that while it will lock down modifications on some router models, the company will continue to let enthusiasts tinker with its WRT lineup of hardware, which has been a hobbyist favorite for years. From its comments the company is well aware that while custom firmware flashers may comprise a minority of overall customers, they're a vocal minority that companies really don't want to piss off. As such, a company spokesman was quick to breathlessly praise third party custom firmware options:

"The real benefit of open source is not breaking the rules and doing something with malicious intent, the value of open source is being able to customize your router, to be able to do privacy browsing through Tor, being able to build an OpenVPN client, being able to strip down the firmware to do super lean, low-latency gaming,” La Duca said. “It's not about ‘I'm going to go get OpenWrt to go and piss off the FCC.' It's about what you can do in expanding the capabilities of what we ship with."

While it would be nice to see more models supported, it's certainly a step in the right direction. It should be noted that (now Belkin-owned) Linksys said it wasn't a very big deal to lock down the radio specifically, contrary to what some vendors have claimed:

"The hardware design of the WRT platform allows us to isolate the RF parameter data and secure it outside of the host firmware separately," Linksys said in a written statement given to Ars. La Duca declined to get more specific about Linksys's exact method. Even though this is about enabling open source, Linksys’s method is proprietary and provides a competitive advantage over other router makers that aren’t supporting open source, La Duca said."

So while one vendor used the FCC rule change as an opportunity to be lazy and cheap, others are using the news as an opportunity to embrace an important part of their community. And from the looks of thinks Linksys won't be alone in the effort; representatives from Asus have been telling some hardware enthusiasts that they plan to continue supporting third-party open source firmware as a point of pride as well:

"As you may know, FCC requires all manufactures to prevent users from changing RF parameters. Not only manufactures' firmware but 3rd party firmware need to follow this instruction. Some manufactures' strategy is blocking all 3rd party firmware, and ASUS's idea is still following GNU, opening the source code, and welcome 3rd party firmware. ASUS are co-working with developers such as Merlin and DDWRT to make sure 3rd party firmware's power are the same as ASUS firmware and obey the regulations."

None of this is to say these companies can't go back on their word down the line (concerned users should keep the pressure up), but it's refreshing to see at least a few vendors actually standing behind their communities' right to tinker.

Filed Under: fcc, firmware, open source, routers
Companies: asus, linksys, tp-link

FTC Dings ASUS For Selling 'Secure' Routers That Shipped With Default Admin/Admin Login (And Other Flaws)

from the wherein-a-personal-'AiCloud'-is-really-'Anyone'sCloud' dept

The FTC has stepped up to smack ASUS down for selling "secure" routers that were about as impregnable as a child's couch fort.

[A]ccording to the complaint, hackers could exploit pervasive security bugs in the router’s web-based control panel to change any of the router’s security settings without the consumer’s knowledge. A malware researcher discovered an exploit campaign in April 2015 that abused these vulnerabilities to reconfigure vulnerable routers and commandeer consumers’ web traffic.

That's not all. ASUS's security "best practices" apparently included credentials pulled from annual "Worst Passwords" lists.

The complaint also highlights a number of other design flaws that exacerbated these vulnerabilities, including the fact that the company set – and allowed consumers to retain – the same default login credentials on every router: username “admin” and password “admin”.

This, unfortunately, isn't just an ASUS problem. Far too many devices, whether marketed to home users or professionals, ship with terrible default credentials and very few of them demand the end user alter the login before putting the product to use.

As for ASUS, the list of insecurities goes on and on.

According to the complaint, ASUS’s routers also featured services called AiCloud and AiDisk that allowed consumers to plug a USB hard drive into the router to create their own “cloud” storage accessible from any of their devices. While ASUS advertised these services as a “private personal cloud for selective file sharing” and a way to “safely secure and access your treasured data through your router,” the FTC’s complaint alleges that the services had serious security flaws.

For example, the complaint alleges that hackers could exploit a vulnerability in the AiCloud service to bypass its login screen and gain complete access to a consumer’s connected storage device without any credentials, simply by accessing a specific URL from a Web browser. Similarly, the complaint alleges that the AiDisk service did not encrypt the consumer’s files in transit, and its default privacy settings provided – without explanation – public access to the consumer’s storage device to anyone on the Internet.

ASUS's insecure products are no different than countless others offered by competitors. Far too many companies view end user security as something that can always be patched into existence after the first big breach. Why the FTC has chosen to hang ASUS rather than any number of other misbehaving tech manufacturers isn't clear, but it could be this is just the first in a wave of settlements.

The FTC isn't just unhappy about ASUS's bogus security claims. It's also unhappy with the company's response time. The complaint notes ASUS failed to act quickly in response to reported security holes.

In June 2013, a security researcher publicly disclosed that, based on his research, more than 15,000 ASUS routers allowed for unauthenticated access to AiDisk FTP servers over the internet. In his public disclosure, the security researcher claimed that he had previously contacted respondent about this and other security issues. In November 2013, the security researcher again contacted respondent, warning that, based on his research, 25,000 ASUS routers now allowed for unauthenticated access to AiDisk FTP servers. The researcher suggested that respondent warn consumers about this risk during the AiDisk set up process. However, ASUS took no action at the time.

[...]

It was not until February 2014 – following the events described in Paragraph 32 [the posting of text files to unsecured end user USB devices by the hackers who discovered the flaw] – that respondent sent an email to registered customers notifying them that firmware updates addressing these security risks and other security vulnerabilities were available. Furthermore, it was not until February 21, 2014 that ASUS released a firmware update that would provide some protection to consumers who had previously set up AiDisk. This firmware update forced consumers’ routers to turn off unauthenticated access to the AiDisk FTP server.

Because of this, ASUS is going to spend the next two decades maintaining a "comprehensive security program" subject to independent audits. An FTC official's statement suggests the agency's settlement with ASUS carries symbolic weight as well -- the mounting of ASUStek's head on a pike as a warning to the ever-expanding Internet of Easily-Compromised Things.

“The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.”

Hopefully, ASUS will build better, safer products in the future because of this. But considering this settlement comes two years after ASUS's eight-month delayed reaction to notifications it received in June of 2013, users are still better off taking security in their own hands, rather than waiting for companies or regulatory agencies to intercede on their behalf.

Filed Under: admin, ftc, security
Companies: asus

SGI Back From The Dead (Again) And Suing Tons Of Companies For Patent Infringement

from the troll-troll-troll-troll dept

Back when I moved to Silicon Valley, Silicon Graphics Inc., (SGI) was still a hot place to work. They were still pumping out cool machines and had a reputation for a fun corporate culture. Of course, that collapsed pretty quickly over the next few years, as SGI totally misjudged the market trends and fell victim to the innovator's dilemma. Basically, SGI never could come to terms with the fact that its premium products were going to be increasingly undercut as cheaper commodity technology improved. Back in 2006, we noted that what remained of SGI had indicated that it planned to resurrect the company by going patent troll. However, we thought we'd avoided that ignoble result when SGI sold most of its assets to Rackable for a mere $25 million three years ago. Silly us for assuming those patents would just go away.

While Rackable changed its name to Silicon Graphics International... the original company actually retained the patents, and renamed itself Graphics Properties Holdings... and over the last few years has been suing lots of companies for patent infringement. In the last year alone it has sued Apple, HTC, LG, RIM, Samsung, Sony, Acer, ASUS, Panasonic, Sharp, Toshiba, Vizio and Motorola Mobility.

As the link above notes, while some of GPH's patents are relatively early, it appears that lots of similar inventions predated key patents. However, the early date may make those patents look stronger, and give GPH much more leverage in getting companies to pay up -- or risk losing the ability to produce devices with nice graphics capabilities.

Filed Under: patent troll, silicon valley
Companies: acer, apple, asus, htc, lg, motorola mobility, panasonic, rim, samsung, sgi, sharp, sony, toshiba, vizio

Bunch Of Companies Sued Over Encryption Patents

from the but-of-course dept

Another day, another story of a company no one's heard of who seems to produce nothing but patents, filing a lawsuit against a ton of companies in East Texas (of course). This one, sent in by the Bored SysAdmin, involves a company called The Pacid Group, suing Asus, Samsung, Sony, Sony Ericsson, Fujitsu, LG, Gigabyte, GBT, MSI, Motorola, Research in Motion, Nikon, Microsoft, Nintendo, HTC and Palm, claiming that they all violate two of its patents (5,963,646 and 6,049,612) on encryption. While it's often difficult to find any information on the no name companies who sue big companies for patent infringement, at least The Pacid Group has a website, where it clearly shows the company's only products: patents.

As we've seen in other similar lawsuits, the company appears to think that pretty much every bit of modern technology violates its patents. According to the lawsuit, all of the following types of products may violate these patents: laptops, mobile phones, printers, routers, digital cameras, Blu-ray disk players, gaming devices, wireless adapters and portable media players. Now, sure, you could make the claim that all of these companies found these patents from a company no one had heard of, and decided to "copy" the idea into their product. Or, the fact that this basic idea appears in so many places might lead you to conclude that the idea was the natural progression of the technology and obvious to those skilled in the art, and thus not deserving of a patent. But that would make sense.

Filed Under: encryption, patents
Companies: asus, fujitsu, gbt, gigabyte, htc, lg, microsoft, motorola, msi, nikon, nintendo, palm, rim, samsung, sony, sony ericsson

Can't Innovate? Litigate! 3Com Goes Patent Lawsuit Ballistic

from the ghosts-of-companies-past dept

Remember back when 3Com was a big innovative company coming up with interesting new products? What happened since then? Well, as we've seen over and over again, once a company runs into trouble continuing to innovate, its last ditch effort to stay in business is to start suing everyone for patent infringement. Step up to the plate, 3Com. The company set up a subsidiary specifically for suing other companies for patent infringement and just sued Acer, Apple, Asus, Dell, Fujitsu, Gateway, HP, Sony, and Toshiba. Oh, and take a guess where this "subsidiary" set up shop? East Texas... of course. All the better to file patent lawsuits apparently...

Filed Under: ethernet, innovation, patents
Companies: 3com, acer, apple, asus, dell, fujitsu, gateway, hp, sony, toshiba

Asus The Latest To Recognize That BitTorrent Is Quite Useful

from the it-ain't-evil dept

To hear some in the entertainment industry tell the story, you'd think that BitTorrent was an evil technology designed with no redeeming value whatsoever. But, of course, there are tons of legitimate uses for it in a more efficient and economic way to distribute files by spreading the burden out. It's great for Linux distributions, for example. And now it's nice to see more and more companies recognizing that there's value in using BitTorrent technology to their advantage. Apparently, the latest is computer maker Asus, which is using BitTorrent for many software downloads. As the article points out, this is hardly revolutionary, but it is nice to see large corporations recognizing the usefulness of the technology.

Filed Under: bittorrent, distribution, software, usefulness
Companies: asus

OLPC Faces Growing Competition, And That's A Good Thing

from the like-it-or-not dept

The Christian Science Monitor has an interesting story looking at the rise of dirt-cheap laptops and the potential impact these laptops will have in developing countries. It gives a fair amount of attention to the One Laptop Per Child project, which was obviously one of the early players in this space. I've had my share of criticisms of the OLPC project, but one thing I do have to give them credit for is that their XO laptop seems to be very competitive with the laptops being offered by commercial companies. Most of them, such as the Asus Eee PC, are priced in the $299 to $399 range; it appears that no one has yet figured out how to produce a full-featured laptop at that magic $100 price point. The thing this article does highlight, though, is that OLPC is operating in an increasingly competitive market. OLPC head Nicholas Negroponte says "I don't want to compete with anyone," but he's going to have to compete whether he likes it or not.

One of the most intriguing competitors is Ncomputing, which is trying to resurrect the dumb terminal model for people on a shoestring budget. Ncomputing uses a cheap ($350) PC as a server to drive a bunch of ridiculously cheap ($70) terminals. Dumb terminals are almost as old as the computing industry itself, but getting the terminals to be this cheap certainly opens things up to new markets by bringing hardware costs within reach of that magic $100 price point. Of course, these dumb terminals won't be as portable as an XO laptop, and they likely require more tech support. Schools in developing countries will have to weigh those disadvantages against the XO's higher price and decide what will serve their students best. And that's the way it should be: more competition means that end users will be able to choose the computing solution that best fits their unique circumstances and budget.

Filed Under: $100 computer, competition, olpc
Companies: asus, ncomputing, olpc