Imagine that you’ve plugged your USB hard drive filled with lots of files (i.e. movies, music, your personal records) into your new router so that everyone on the network can get access to them as well as giving you secure access to them from wherever you are. Pretty cool, huh, nice feature. Many routers are now featuring USB ports that allow you to plug in a USB hard drive or USB printer, and then share these devices with the network.
So how would you feel if you opened up a folder on your shared drive that contained a file called WARNING_YOU_ARE_VULNERABLE.txt? Unfortunately, that’s what’s been happening to many users of ASUS routers lately. Upon opening the file you’ll find the following contents:
This is an automated message being sent out to everyone effected [sic],” the message, uploaded to his device without any login credentials, read. “Your Asus router (and your documents) can be accessed by anyone in the world with an Internet connection. You need to protect yourself and learn more by reading the following news article: http://nullfluid.com/asusgate.txt.
Apparently these files have been dropped on many user’s USB hard drives as a guerrilla attempt to make the existence of this vulnerability possible. The vulnerability allows unauthorized people to access all of the files on any hard drive connected to the USB port on the affected ASUS routers. The vulnerability is outlined in this document.
As news of this vulnerability become more well known, affected users have been speaking up. A blogger from Harvard Law School gives a very personal account of what he found when he realized he was hit by this problem.
ASUS has acknowledged the problem and has offered a patch.