Skip to main content

ASUS RT Wireless Routers Easy to Hack, Easy to Patch

The ASUS RT-N56U wireless router. Credit: ASUSTeK Computer Inc.

(Image credit: The ASUS RT-N56U wireless router. Credit: ASUSTeK Computer Inc.)

Protecting your computer is a fairly straightforward process, but when was the last time you paid any attention to your wireless router? Routers are surprisingly vulnerable to sophisticated hacks, and ASUS' RT line of wireless routers is no different. An inventive hack could hijack your entire Internet experience if you don't update quickly and carefully.

Security researcher David Longenecker described the flaw on his blog. The current vulnerability is the latest in a long list of ASUS router flubs, and affects the RT-AC68U, RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, RT-N56U models, with possible ramifications for the RT-N53, RT-N14U, RT-N16, and RT-N16R versions as well.

MORE: Your Router's Security Stinks: Here's How to Fix It

The actual vulnerability is quite complicated, so check out Longenecker's blog to learn the exact details, but it boils down to the way the routers process firmware updates. Firmware updates on ASUS RT routers require a verification on both ends, but do not require this verification to go through a secure HTTPS server. This could allow an inventive hacker to create and supply his or her own bogus update.

Providing phony firmware might not seem like a big threat, but consider that your router is your gateway to the rest of the Internet. Malicious commands in an update script could redirect you to bogus versions of important sites, such as Gmail or a banking website. Logging on to fraudulent sites would send your authentication credentials to a malefactor rather than to a trusted source. Running programs to spread adware or malware would also not be difficult.

The good news is that ASUS has been alerted to this problem and has added an undocumented fix to the latest version of the firmware for each affected router. The bad news, of course, is that the very flaw ASUS is trying to patch makes it dangerous to download the updated firmware.

Longenecker recommends downloading firmware directly from ASUS, which should mitigate any risks, although the ASUS website does not itself use HTTPS — which means anyone whose router has already been hacked could end up being redirected to a bogus ASUS site.

To be certain you're getting the real thing, first find a friend with a different brand of router. Then use one of her computers to browse to the ASUS website and find the support page for your model of ASUS router. Download the ZIP compressed archive of the latest firmware, making sure you get the version that matches your version of Windows.

Don't extract the files from the archive right away. Instead, copy the archive to a flash drive, take it to your main Windows computer and extract the archive there. Then open the ASUS router administrative software on your computer, click Advanced Setting, click Firmware Upgrade, browse to the extracted files from the flash drive and hit Upload.

Marshall Honorof is a Staff Writer for Tom's Guide. Contact him at mhonorof@tomsguide.com. Follow him @marshallhonorof and on Google+. Follow us @tomsguide, on Facebook and on Google+.