How To Check To See If Your ASUS Router Has Been Pwned
Shortly after this story dropped about ASUS routers being pwned right, left and centre, I got a number of emails asking me to detail how one can check their routers to see if they’e been pwned. To that end, I am going to put forward two options for you to make sure you’re not affected by this.
Option 1: Factory reset your router.
If you’re really paranoid about this, taking the nuclear approach and resetting your router may not be a bad idea. While this vulnerability can survive reboots and firmware updates, it cannot survive a factory reset. ASUS has a document that tells you how to do that. And after you do that, you should set it up again from scratch. Meaning that you should not use a backup to set it up. That way you don’t import the vulnerability back into the router. That means that you should make a note of your settings before you factory reset it.
Option 2: Checking to see if you have been pwned.
Given that about 10,000 routers have been affected by this worldwide, your odds of being affected by this are low. But it’s not zero so checking to if you have been pwned is a good idea. Here’s how you do it. I am using the RT-BE86U in this example so your ASUS router may have this in a different location:
- Log into your router
- Click on Administration on the left.
- Click on System on the top. That will take you to this screen:
See if Enable SSH is enabled. If it isn’t, you’re likely not affected. But it never hurts to dig deeper. Choose LAN and WAN to get to this screen:
If you see anything in the SSH Port section and the Authorized Keys section that you did not put there, chances are that you’ve been pwned. Specifically, you’ve been pwned if you see these values:
SSH Port: 53282
Authorized Keys: AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ
I’ve only put in part of the key to stop people from self pwning their router. But if you see both of these, you’ve been pwned and you should immediately reset your router as per option 1 and ensure that the firmware in the router is up to date.
4. Do not save any of the settings and simply log out of your router if you find nothing there.
Now the threat actors have been exploiting a number of vulnerabilities that ASUS has either patched or will patch. Thus even if you are clear when you have a look at these settings, I would strongly recommend watching the ASUS website for other firmware updates and install them when they become available. Or use the ASUS Router app to check for firmware updates. As an aside, you should always ensure that your router always has the latest firmware installed on it.
Finally, there is no practical reason why anyone needs remote access to their router via any means. Be it a vendor supplied method, or via SSH or anything like that. I say that because all it does is give threat actors a means to pwn you. Thus if you value your security, never, ever enable remote access in any way shape or form on your router and be happy. It won’t make you 100% safe, but it will make you a whole lot safer.
Leave a Reply