Asus patches security hole in router firmware, password now needed by default

Asus has released updated firmware for a number of its router models following widespread reports of a security vulnerability that allowed remote attackers to access files on any hard drive plugged into the routers. A feature designed to allow users to access their own files from anywhere in the world instead allowed anyone to access them because the company decided not to prompt users to create passwords.

The AiCloud feature allows users to connect to their home PCs or external hard drives via a smartphone app or any other PC. Asus did not require users to set passwords at all, in an effort to make remote file sharing easy for end users to set up. The routers also broadcast their model numbers by default, making it even easier for malicious attackers to target them.

Now, Asus has published a forum post urging users to update their router firmware. Updates for over a dozen models are available at this website. While the post acknowledges that there have been "recent discussions about the default security settings of the AiCloud and FTP features in some Asus routers", it stops short of acknowledging that there was a security oversight and does not apologise.

Asus further stats that a "user interface update" will begin to roll out later this month that will prompt users to update their router firmware and alert them if the new security measures have not been implemented.