Asus router flaw leaves users' entire hard drives open to anyone on the Internet

Convenience often comes at the cost of security, as demonstrated by Asus routers that come with a feature designed to allow users to access their hard drives' contents from anywhere in the world, but actually leave those drives open to anyone with an Internet connection. First reported by Sweden's IDG.se, the vulnerability has exposed how easy it is for users to unknowingly leave themselves open to malicious attacks, identity theft, piracy, and other security risks. The problem is the direct result of Asus consciously designing its default router configuration to favour convenience over security by not requiring a strong password.

The feature in question, called AiDisk, is designed to give users access to a hard drive plugged directly into a router's USB port. The feature is supported on a number of Asus router models, some of which have been on the market for over a year. All router manufacturers offer similar functionality on certain models.

Users who choose to plug a hard drive into their router might not be aware that Asus uses standard FTP (File Transfer Protocol) to make the drive function as a server, using your router's uniquely identifiable IP address. Such servers can be detected and accessed by anyone with an Internet connection, with very little effort. The routers also broadcast their model numbers by default, further inviting anyone who is familiar with the flaw. Visitors might have a casual interest in your server's contents, or they might have malicious intent-it's only a strong password that can keep them out. Unfortunately, in an effort to make FTP sharing completely transparent to users, Asus selected a default configuration option that does not require a password at all.

News site Thehackernews.com reports that Asus has acknowledged the problem and has committed to releasing a firmware patch for the affected models that will prompt users to configure a suitable password upon activating the feature. However it's impossible to estimate what percentage of affected users will install the patch or even be aware that it exists.