The ASUS Dumpster Fire

Gamers Nexus

18 Jul 202528:12

Summary

TLDRThe video highlights several critical security vulnerabilities in ASUS products, including routers and Armory Crate software. ASUS routers are compromised through an open port, with proactive firmware updates necessary to prevent exploitation. Armory Crate, a software that runs at the motherboard level, has persistent vulnerabilities that can lead to serious security risks. ASUS's poor handling of bloatware and unnecessary risks introduced by their software practices have raised concerns. Despite patches, ASUS's failure to secure their products properly leaves users exposed to potential attacks, making vigilance and regular updates essential for protection.

Takeaways

😀 ASUS routers with port 53282 open have a persistent backdoor vulnerability, which can't be fixed by firmware updates alone.
😀 Firmware updates must be proactively applied by users to prevent exploitation, as patches will not remove already compromised routers.
😀 The attacker exploiting this vulnerability remains unidentified, but there are signs of overlap with the broader Vicious Trap exploitation campaign.
😀 Armory Crate software on ASUS devices acts like malware, propagating itself and potentially reactivating even after being disabled in BIOS.
😀 BIOS updates from Windows may unintentionally reset the Armory Crate toggle, reactivating unwanted software even after users try to disable it.
😀 ASUS's Armory Crate software involves low-level hardware access, posing a significant security risk if exploited by attackers.
😀 Vulnerabilities in Armory Crate, like buffer overflow and improper path length handling, can allow attackers to execute arbitrary code at the kernel level.
😀 ASUS's software practices, such as bundling unwanted software like MyASUS and AI Protection, contribute to unnecessary security risks for users.
😀 ASUS's significant resources and market position raise concerns about their failure to adequately protect users from these avoidable risks.
😀 Despite ongoing patches, ASUS has continued to create additional security risks through its software and firmware, which are often forced on users without their consent.

Q & A

What is the main issue discussed in the video regarding ASUS routers?
-The main issue is a security vulnerability in ASUS routers, where a backdoor exists in nonvolatile memory (NVRAM) that is not removed during firmware updates or reboots, making it impossible to patch through standard firmware updates. This leaves routers exposed to exploitation if not proactively updated by users.
What is the significance of port 53282 being open on ASUS routers?
-Port 53282 being open is a clear indication that the router has likely been exploited. This port is used in attacks, and the number of devices with this port open can fluctuate, often due to public awareness or changing attack methods.
What does the term 'Armory Crate' refer to, and why is it problematic?
-Armory Crate is software provided by ASUS that controls low-level hardware features, including RGB lighting. It is criticized for its invasive nature, self-propagating behavior, and BIOS-level access. Even after being disabled in the BIOS, it can reactivate after future firmware updates, which makes it an ongoing security concern.
Why is it difficult to fix compromised ASUS routers through firmware patches?
-Once compromised, the backdoor stored in the router's NVRAM cannot be removed by firmware updates or reboots, rendering patches ineffective. Prevention relies on users proactively updating their firmware before an attack occurs.
What vulnerability in ASUS's Armory Crate software did Cisco Talos discover?
-Cisco Talos discovered a vulnerability in the ASIO3 kernel driver used by Armory Crate. This vulnerability allows attackers to execute arbitrary code through a stack-based buffer overflow, which could lead to unauthorized access and potential exploitation of the system.
What are the potential dangers of ASUS’s Armory Crate and its access to system resources?
-Armory Crate’s access to low-level system resources, like physical memory addresses and IO ports, allows attackers to execute arbitrary commands and gain full control over the system, which could lead to serious security breaches if exploited.
What does 'stack-based buffer overflow' mean in the context of the Armory Crate vulnerability?
-A stack-based buffer overflow occurs when a program writes more data to a buffer (a temporary data storage area) than it can handle, which can overwrite adjacent memory. In the case of the Armory Crate vulnerability, this allows an attacker to manipulate the system’s memory and potentially execute arbitrary code.
What is the purpose of the 'hard-coded hash' in ASUS’s security system, and how was it bypassed?
-The hard-coded hash is used to restrict access to the ASIO3 driver, only allowing ASUS software to interact with it. However, the vulnerability was exploited by using Windows' hardlink feature to match the hash of an arbitrary executable to the ASUS-approved executable, bypassing this security check.
What could be the consequences of multiple unpatched vulnerabilities stacking in ASUS products?
-If multiple unpatched vulnerabilities stack or nest together, they could potentially be exploited in combination, allowing attackers to escalate their access and compromise the system more severely. This is a significant concern for users who may not be aware of these vulnerabilities.
How has ASUS responded to the vulnerabilities in its products, and what should users do to protect themselves?
-ASUS has provided some security patches and advised users to perform factory resets on compromised devices. Users should regularly update their router firmware and disable unnecessary software like Armory Crate and MyASUS to reduce exposure to security risks.