This Asus Wi-Fi router can be hacked — what to do right now

'Matrix'-like green numbers flowing vertically over image of home Wi-Fi router.
(Image credit: Syafiq Adnan/Shutterstock)

If you own an Asus RT-AC1900P home wireless router, it's time to patch it. Asus recently issued a firmware update to fix two serious security flaws that could let an attacker with access to your home network hack both your router and your PC. 

Trustwave, the security firm that found the flaws, disclosed the issues in a security advisory yesterday (July 22). It explained that the Asus router searches for firmware updates on the Asus website by using a file-download tool but without checking digital security certificates.

"As a result, MITM [man-in-the-middle] attack is trivial when the device is connected to a malicious network," the Trustwave advisory says. 

That means an attacker can trick the router into downloading and installing malicious firmware updates. And because an attacker can do that, a trap can be set for when the router's owner logs into the router's administrative interface, which is displayed in a web browser on the owner's PC or Mac. 

"An attacker can then craft [a] malicious file containing release notes for the 'new' firmware that will contain arbitrary JavaScript," Trustwave said in its advisory. 

"Due to cross-site-scripting, the malicious JavaScript will be executed when an unsuspecting admin user clicks the release notes link on the Firmware Upgrade page."

After this, all bets are off

One malicious JavaScript is running in your browser, all bets are off. An attacker can silently redirect your browser to pages containing browser exploit scripts or drive-by downloads, both of which will try to infect your computer with malware. You'd better hope you've got one of the best antivirus programs backing you up.

Because the attacker already controls your router, he or she can also change the router settings so that you're led to fake banking or email websites in attempts to capture account login credentials or to trick you into installing corrupted software.

How to avoid attacks based on this router flaw

To avoid these nightmare scenarios, you can open up your Asus router's administration panel and see if a firmware update is available. (Asus has instructions here.)

Alternately, head over to the Asus firmware-update page for the RT-AC1900P and download the most recent update. 

You should always change the administrator password on your router as soon as you get it out of the box. And make sure that the access password for your home Wi-Fi network isn't something easy to guess and is at least 10 characters long. You don't want random neighbors getting access and possibly playing havoc with your router.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.