This Asus Wi-Fi router can be hacked — what to do right now
Flaw in update process could lead to total takeover
If you own an Asus RT-AC1900P home wireless router, it's time to patch it. Asus recently issued a firmware update to fix two serious security flaws that could let an attacker with access to your home network hack both your router and your PC.
Trustwave, the security firm that found the flaws, disclosed the issues in a security advisory yesterday (July 22). It explained that the Asus router searches for firmware updates on the Asus website by using a file-download tool but without checking digital security certificates.
"As a result, MITM [man-in-the-middle] attack is trivial when the device is connected to a malicious network," the Trustwave advisory says.
- The best Wi-Fi routers for your home or small office
- Your router's security stinks: Here's how to fix it
- New: iPhone 12 blown away by Samsung Galaxy S20 Fan Edition leak
That means an attacker can trick the router into downloading and installing malicious firmware updates. And because an attacker can do that, a trap can be set for when the router's owner logs into the router's administrative interface, which is displayed in a web browser on the owner's PC or Mac.
"An attacker can then craft [a] malicious file containing release notes for the 'new' firmware that will contain arbitrary JavaScript," Trustwave said in its advisory.
"Due to cross-site-scripting, the malicious JavaScript will be executed when an unsuspecting admin user clicks the release notes link on the Firmware Upgrade page."
- Out and about? See how to use a VPN to stay safe on public Wi-Fi
- Secure your whole household's connection with the best router VPN
- You can also share your VPN connection with a virtual router
After this, all bets are off
One malicious JavaScript is running in your browser, all bets are off. An attacker can silently redirect your browser to pages containing browser exploit scripts or drive-by downloads, both of which will try to infect your computer with malware. You'd better hope you've got one of the best antivirus programs backing you up.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Because the attacker already controls your router, he or she can also change the router settings so that you're led to fake banking or email websites in attempts to capture account login credentials or to trick you into installing corrupted software.
How to avoid attacks based on this router flaw
To avoid these nightmare scenarios, you can open up your Asus router's administration panel and see if a firmware update is available. (Asus has instructions here.)
Alternately, head over to the Asus firmware-update page for the RT-AC1900P and download the most recent update.
You should always change the administrator password on your router as soon as you get it out of the box. And make sure that the access password for your home Wi-Fi network isn't something easy to guess and is at least 10 characters long. You don't want random neighbors getting access and possibly playing havoc with your router.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.