WEBVTT

00:00:00.000 --> 00:00:01.620
JACK: How many zero-days have you found?

00:00:01.620 --> 00:00:02.880
KYLE: It doesn’t really matter. I don’t

00:00:02.880 --> 00:00:05.160
really keep count but I guess it’s probably over a hundred.

00:00:05.160 --> 00:00:08.100
JACK: A hundred zero-days you think you might have found?

00:00:08.100 --> 00:00:10.560
KYLE: Well, I don’t know if I can count them as zero-days. I mean yeah,

00:00:10.560 --> 00:00:15.180
they hadn’t been found before, at least disclosed before, but sometimes in application you could

00:00:15.180 --> 00:00:19.860
have three or four things wrong with it that hadn’t been disclosed before. I’m

00:00:19.860 --> 00:00:24.300
not some kind of super hacker or anything but yeah, I guess it’s about that. Anyone

00:00:24.300 --> 00:00:27.750
can do it. It just takes a little bit of practice and a lot of determination.

00:00:27.750 --> 00:00:31.470
JACK (INTRO):

00:00:31.470 --> 00:00:42.290
This is Darknet Diaries, true stories from the dark side of the internet. I’m Jack Rhysider.

00:00:42.290 --> 00:00:50.840
JACK: Home is private and personal. Home is safe and secure. Home is protected and intimate. We

00:00:50.840 --> 00:00:55.580
don’t allow strangers to simply walk into our home and take our most private things like bank

00:00:55.580 --> 00:01:01.700
statements or photographs. We know when our door is locked and when our window is shut. We know

00:01:01.700 --> 00:01:07.370
this keeps strangers out but sometimes there are other ways strangers can enter our home and take

00:01:07.370 --> 00:01:12.590
our most precious things. These strangers can do this from thousands of miles away.

00:01:12.590 --> 00:01:19.760
KYLE: My name is Kyle Lovett. I am a Senior Penetration Tester right now with Veracode.

00:01:19.760 --> 00:01:24.470
JACK: Kyle’s day job is penetration testing. He is paid to test the security of a company

00:01:24.470 --> 00:01:28.940
to see if there’s a way a hacker can get into the network. But that’s not what this story is

00:01:28.940 --> 00:01:35.180
about. This story is about the time in 2013 when Kyle bought a new router for his home.

00:01:35.180 --> 00:01:40.265
KYLE: Yeah, I was looking at the new Asus router, the N66.

00:01:40.265 --> 00:01:45.680
JACK: Kyle’s friend had the new Asus N66 home router and recommended it to Kyle.

00:01:45.680 --> 00:01:50.174
This was not a cheap router. It was one of the high-end ones coming in at just over $300.

00:01:50.174 --> 00:01:54.320
KYLE: They were the hottest routers on the market, or at least one of the hottest

00:01:54.320 --> 00:02:00.260
routers on the market. No one can deny the hardware on it is quite impressive. It was

00:02:00.260 --> 00:02:07.070
very popular especially around the IT crowd. A lot of IT folks had those routers in their home.

00:02:07.070 --> 00:02:08.510
JACK: Kyle bought it and took it home.

00:02:08.510 --> 00:02:14.660
KYLE: Something struck me as a little odd when I got home and was looking for the actual product.

00:02:14.660 --> 00:02:17.930
JACK: As he was setting up his new router he was noticing that it had a

00:02:17.930 --> 00:02:21.170
lot of features on by default, too many features.

00:02:21.170 --> 00:02:27.260
KYLE: A VPN installed on it, an FTP server installed on it, Samba for the file sharing

00:02:27.260 --> 00:02:33.140
internally in the network. It also had several different web servers running on it. I was like,

00:02:33.140 --> 00:02:38.300
this can’t be safe. This can’t be. There was something – gotta be [inaudible] here,

00:02:38.300 --> 00:02:43.010
because there’s so much on it. It just seemed like it was too good to be true kind of thing.

00:02:43.010 --> 00:02:47.510
JACK: First thing he noticed was the default user name was admin and the default password

00:02:47.510 --> 00:02:53.530
was also admin. At no point was he prompted to change this password.

00:02:53.530 --> 00:02:57.490
For many people who own this device, they likely didn’t change their password on it

00:02:57.490 --> 00:03:03.580
and it was left as admin/admin. These kind of weak default settings often upsets Kyle.

00:03:03.580 --> 00:03:07.660
He changed his default password and continued setting up his new router.

00:03:07.660 --> 00:03:14.860
KYLE: I just started fiddling with it like I would do a normal web app pen test. Port

00:03:14.860 --> 00:03:22.090
80 had the administration interface with it and then port 443 had the AI Cloud,

00:03:22.090 --> 00:03:25.810
or the Cloud interface with it, which is what I concentrated on.

00:03:25.810 --> 00:03:31.060
JACK: One of the features he enabled was an FTP server. He plugged in an external hard

00:03:31.060 --> 00:03:35.740
drive into the router and enabled the FTP server. This feature turns the router into

00:03:35.740 --> 00:03:41.530
a network storage device. This allowed users to store backup files, their music collection,

00:03:41.530 --> 00:03:46.840
personal photos, past tax records, whatever people put on their external hard drives.

00:03:46.840 --> 00:03:49.900
KYLE: The thing that caught my interest was when I turned FTP on,

00:03:49.900 --> 00:03:55.540
as I do once in a while, I scan my own IP address. I realized that port 21 was

00:03:55.540 --> 00:04:01.496
open with anonymous access. I was like, whoa! Hold on here.

00:04:01.496 --> 00:04:07.990
JACK: [MUSIC] What he found was not only could he access his personal photos from within his

00:04:07.990 --> 00:04:13.720
house through the router, but because the router was on the internet with a public IP address he

00:04:13.720 --> 00:04:20.980
was sharing all his data to the entire world. To make matters worse, there was no password needed

00:04:20.980 --> 00:04:26.230
to access his files. If a hacker knew you had this router and you had plugged a hard drive into it,

00:04:26.230 --> 00:04:32.380
that hacker could see all the files you had on the hard drive from thousands of miles away.

00:04:32.380 --> 00:04:37.540
KYLE: Yeah, I had plugged in one of my external hard drives to the back

00:04:37.540 --> 00:04:41.770
of it and that’s really what got me piqued. Like, hold on.

00:04:41.770 --> 00:04:46.090
JACK: Once Kyle found one security issue with the router he began using

00:04:46.090 --> 00:04:49.390
his penetration testing skills to see if he could find something else.

00:04:49.390 --> 00:04:52.900
KYLE: What I did was I just started looking and fuzzing. I didn’t even really need to

00:04:52.900 --> 00:05:01.000
fuzz all that much. All of the file paths were right there. I realized what I was looking at.

00:05:01.000 --> 00:05:05.230
JACK: Using a few simple tools he found the directory structure and

00:05:05.230 --> 00:05:09.400
where certain files were stored. One of the files he found was a file that

00:05:09.400 --> 00:05:13.390
contained the username and password of the router itself. What startled

00:05:13.390 --> 00:05:17.665
him about this was that the password was stored in clear text in just a plain file.

00:05:17.665 --> 00:05:23.290
KYLE: I literally could go to my browser and browse up in the browser the HTTPS IP

00:05:23.290 --> 00:05:31.240
address/smb/tmp/lightep, which was the name of the web server that I was using, permissions. When

00:05:31.240 --> 00:05:36.010
you do that it drops a text file for you that has admin and then whatever their password would be;

00:05:36.010 --> 00:05:40.240
admin/admin if they didn’t change their default password. That only took me maybe twenty,

00:05:40.240 --> 00:05:44.590
twenty-five minutes to find – of testing and that wasn’t even really hard fuzzing,

00:05:44.590 --> 00:05:48.010
smart fuzzing, or looking at any kind of vulnerabilities.

00:05:48.010 --> 00:05:51.520
JACK: This means any guest within his home could easily find the

00:05:51.520 --> 00:05:55.330
password to Kyle’s router. Someone could just use a regular browser and

00:05:55.330 --> 00:05:59.830
go to the URL and see his password. No authentication was required to see

00:05:59.830 --> 00:06:05.380
this but Kyle thought about this a little longer. KYLE: Hold on, hold on. Can I get to this from the

00:06:05.380 --> 00:06:12.100
outside when port 443 is open? Because I enabled the AI Cloud service which is their own particular

00:06:12.100 --> 00:06:18.010
cloud service that has a built-in – they do things like you can sync your iTunes to it, you can sync

00:06:18.010 --> 00:06:27.400
your phone to it. I was able to get to it from the outside as well with a clear text password.

00:06:27.400 --> 00:06:33.220
Then I called another friend who lived quite far away and I asked him if I could – I knew he had

00:06:33.220 --> 00:06:39.670
one as well. He had actually recommended it to me. I said can I look at yours? And sure enough,

00:06:39.670 --> 00:06:45.240
I was able to get his clear text password right off the bat. That was kind of scary.

00:06:45.240 --> 00:06:49.590
JACK: Now he realized that if anyone enabled the AI Cloud feature of this

00:06:49.590 --> 00:06:54.120
router, then anyone on the internet can easily find the password to this router.

00:06:54.120 --> 00:06:58.830
KYLE: You could literally create a list of all of the Asus routers

00:06:58.830 --> 00:07:02.310
there are in the world with that directory structure and just snag

00:07:02.310 --> 00:07:07.230
each one of them that had port 443 open. JACK: He was becoming increasingly concerned

00:07:07.230 --> 00:07:11.700
about the security of this router. He was running it with the latest patches and updates

00:07:11.700 --> 00:07:17.810
and it had all these security problems. He began researching whether this was a known bug or not.

00:07:17.810 --> 00:07:23.400
KYLE: It kind of scared me a little bit because I knew how popular this router was. I quickly

00:07:23.400 --> 00:07:28.380
looked online to see if anyone else had found it, hoping somebody else had found it. When I

00:07:28.380 --> 00:07:32.400
didn’t find anyone else had found it I was like, uh-oh. I better spend a little more time on this.

00:07:32.400 --> 00:07:37.860
JACK: At this point Kyle had a long list of security flaws

00:07:37.860 --> 00:07:40.740
he found in this router. These issues were…

00:07:40.740 --> 00:07:45.690
KYLE: The clear text password was in an unprotected directory structure. You had the FTP

00:07:45.690 --> 00:07:51.750
problem, Samba for the file sharing internally in the network, which was one of my other findings,

00:07:51.750 --> 00:07:56.370
then you had the bigger problem of the default passwords which was admin/admin.

00:07:56.370 --> 00:07:59.520
JACK: The router also has a VPN built into it,

00:07:59.520 --> 00:08:03.990
which by combining these vulnerabilities an attacker can gain access to your entire

00:08:03.990 --> 00:08:07.920
home network just as if someone is in your house using your WiFi.

00:08:07.920 --> 00:08:10.500
KYLE: It was disturbing to say the least.

00:08:10.500 --> 00:08:16.560
JACK: It became evident to Kyle that anyone with this router has a very insecure home

00:08:16.560 --> 00:08:22.350
network. Kyle used a website called Shodan to try to understand the size of this problem.

00:08:22.350 --> 00:08:27.420
Shodan is a website that scans the entire internet to see what IPs are alive and

00:08:27.420 --> 00:08:31.320
what ports are open. It also tries to get the type of system that’s running on those

00:08:31.320 --> 00:08:36.900
IPs. Kyle found at least 50,000 people were running the vulnerable FTP server.

00:08:36.900 --> 00:08:39.750
KYLE: The fifty, sixty, seventy thousand that were vulnerable,

00:08:39.750 --> 00:08:46.800
that was just to the FTP. You’re talking two to three times that amount to the port 443

00:08:46.800 --> 00:08:52.290
and then the port 80 default password. That was the really disturbing thing,

00:08:52.290 --> 00:08:59.490
is that attackers could use it as a one-stop shop to dump all their – whatever malicious

00:08:59.490 --> 00:09:07.770
files they were sharing or downloading. It even came with a torrent download little program.

00:09:07.770 --> 00:09:11.880
Then they could use the VPN of these people, whoever the end users were, wherever they were,

00:09:11.880 --> 00:09:17.790
to then proxy – kind of proxy their attacks or their malicious deeds online furthermore.

00:09:17.790 --> 00:09:23.610
JACK: Kyle was now understanding the massive size of this problem. This high-end expensive

00:09:23.610 --> 00:09:28.590
router that he had purchased was full of glaring security vulnerabilities and bugs that were not

00:09:28.590 --> 00:09:34.740
yet known to the vendor or discussed publically. It made over 100,000 people vulnerable to attacks

00:09:34.740 --> 00:09:39.990
in their own home, attacks such as taking their files, accessing internal computers,

00:09:39.990 --> 00:09:44.790
controlling the user’s router, or using the router to wage attacks on other systems.

00:09:44.790 --> 00:09:48.390
KYLE: The end user, until their router started going down,

00:09:48.390 --> 00:09:52.440
I doubt would ever have the knowledge that anything was happening to them at all.

00:09:52.440 --> 00:09:56.670
JACK: When software has security bugs in it and the vendor is not aware of the problem,

00:09:56.670 --> 00:10:01.770
this is called a zero-day vulnerability. It’s called a zero-day because that’s how many days

00:10:01.770 --> 00:10:06.900
since the vendor has been aware of the problem. Once the vendor is aware of the problem it’s no

00:10:06.900 --> 00:10:12.330
longer a zero-day and the vendor can work on releasing a fix. Now put yourself in Kyle’s

00:10:12.330 --> 00:10:18.450
shoes for a moment. You’ve just found numerous unfixed bugs in a very popular home router. This

00:10:18.450 --> 00:10:24.510
bug allows you to access the private networks of over 100,000 homes around the world. Not only can

00:10:24.510 --> 00:10:29.100
you easily get into the home network but you can also have the ability to see all their files and

00:10:29.100 --> 00:10:34.440
use their router as a proxy. What would you do if you had this kind of knowledge and capability?

00:10:34.440 --> 00:10:39.970
Would you go around looking at everyone’s files to see what they had? Would you try to sell these

00:10:39.970 --> 00:10:45.520
exploits on the dark market for some Bitcoin? How would it make you feel to be in this situation?

00:10:45.520 --> 00:10:52.630
KYLE: I was kind of angry that I had bought this thing with this glaring vulnerability.

00:10:52.630 --> 00:11:00.640
I wanted to get Asus on board right away with it, get their info set group or whatever team

00:11:00.640 --> 00:11:06.100
they had doing security to fix it right away because it affected more than just a few people.

00:11:06.100 --> 00:11:11.620
JACK: For Kyle the choice was easy. Not even once did he try to view someone else’s files

00:11:11.620 --> 00:11:17.380
or use this knowledge for anything malicious. He simply wanted this bug fixed to help improve

00:11:17.380 --> 00:11:22.690
security for thousands of people. In fact, he was a customer too and he wanted the bug fixed

00:11:22.690 --> 00:11:27.820
for his own router. He began trying to figure out how to contact Asus, the makers of this router.

00:11:27.820 --> 00:11:33.010
KYLE: I think it was around February or March I sent my first e-mail. I hadn’t

00:11:33.010 --> 00:11:36.640
done much in the way of public disclosures before and whenever I had found something,

00:11:36.640 --> 00:11:42.400
it was usually – I would send an anonymous note in, which I did for about a month. Didn’t get any

00:11:42.400 --> 00:11:46.540
response back to my anonymous e-mail account. I had a fake name in there. I said you know what,

00:11:46.540 --> 00:11:49.990
I’m going to use my real name and my real e-mail address because this is that important.

00:11:49.990 --> 00:11:56.380
JACK: Kyle sent Asus another e-mail, this time using his real name. Three

00:11:56.380 --> 00:12:04.470
weeks go by. Still no response from Asus, so Kyle sends them another e-mail in May.

00:12:04.470 --> 00:12:07.410
KYLE: They did respond; they say okay, we’ll take a look at it.

00:12:07.410 --> 00:12:12.150
JACK: Kyle was somewhat relieved to have finally gotten a response but he wasn’t

00:12:12.150 --> 00:12:17.790
going to be satisfied until the fix was released. He waited two more weeks which

00:12:17.790 --> 00:12:21.870
has now been two months since he first notified them of this problem. There’s

00:12:21.870 --> 00:12:26.850
still no bug fix or press release telling customers that this problem exists. In fact,

00:12:26.850 --> 00:12:31.740
Asus hasn’t even confirmed they see a problem yet. He was starting to lose patience with them.

00:12:31.740 --> 00:12:35.850
KYLE: I sent another e-mail and then another couple e-mails after that. I wasn’t trying to

00:12:35.850 --> 00:12:39.690
hound them. I just wanted them to say yeah, we’ve confirmed that this is a vulnerability

00:12:39.690 --> 00:12:47.310
because I kind of wanted to forget it and move on. After about a month of that I decided to go

00:12:47.310 --> 00:12:54.150
with the partial disclosure online to kind of prod them to move a little bit faster because

00:12:54.150 --> 00:12:57.510
they weren’t warning their customers and people were just going out and buying these routers.

00:12:57.510 --> 00:13:05.190
JACK: What Kyle decided to do was post the bug he found publically online for anyone to see. This

00:13:05.190 --> 00:13:09.540
was a hard decision to make. On one hand, he’s notifying the customers there’s a bug in their

00:13:09.540 --> 00:13:14.100
router which lets strangers access their router and connect to their drives, but on the other

00:13:14.100 --> 00:13:19.320
hand he’s going to be giving keys to hackers which they can use to enter thousands of people’s homes.

00:13:19.320 --> 00:13:24.030
KYLE: What I know as far as being an individual independent researcher,

00:13:24.030 --> 00:13:31.770
my voice doesn’t carry a lot of weight so when I find something individually and the vendor doesn’t

00:13:31.770 --> 00:13:36.960
want to fix it or they don’t care about it, the only tool we really have at our discretion,

00:13:36.960 --> 00:13:42.090
unless you’re really connected in with some reporters or something, but is to embarrass

00:13:42.090 --> 00:13:47.490
them. Embarrass them into fixing the bug. Unfortunately embarrassing them sometimes

00:13:47.490 --> 00:13:51.960
means giving a proof of concept that this is truly a bug and here’s the proof of concept. Yes,

00:13:51.960 --> 00:13:56.280
I know the bad guys are also going to see this proof of concept but some vendors just don’t

00:13:56.280 --> 00:14:01.860
care until the PR hits them. When the PR hits and the bad press hits and it gets out there

00:14:01.860 --> 00:14:07.620
that they have a buggy application or a buggy router or switch or whatever it is, then they

00:14:07.620 --> 00:14:13.740
get moving on fixing it. It’s a dangerous thing for us to do because we get – I’ve had lawsuit

00:14:13.740 --> 00:14:21.720
threats before. It doesn’t feel too good to know that because you disclosed something people have

00:14:21.720 --> 00:14:27.990
gone and exploited it but as I said, I’ve told my wife and several other people, said I don’t break

00:14:27.990 --> 00:14:33.390
the software applications. It would be impossible to do. I only point out where it’s already broken.

00:14:33.390 --> 00:14:41.760
JACK: This concept of posting a security vulnerability publically for the world to

00:14:41.760 --> 00:14:46.380
see is called full disclosure. This topic is often debated in the security community.

00:14:46.380 --> 00:14:50.550
Kyle was hesitant to share all his findings with the public, though.

00:14:50.550 --> 00:14:57.150
KYLE: I went with a partial disclosure, not really getting into details about what it was

00:14:57.150 --> 00:15:05.940
but saying what it could do. I briefly mentioned the FTP issue but I didn’t go into depth about it.

00:15:05.940 --> 00:15:14.310
JACK: Now Kyle watched and waited for Asus to respond. Three more weeks went by. It’s

00:15:14.310 --> 00:15:18.300
now been four months since he first brought this to their attention and they still haven’t

00:15:18.300 --> 00:15:22.560
even confirmed they agree it’s a flaw. Kyle decided to take it a step further.

00:15:22.560 --> 00:15:28.500
KYLE: That’s when I went on there and I put that one disclosure about the clear

00:15:28.500 --> 00:15:35.520
text password which got picked up. A bunch of outlets picked it up and they ran from there,

00:15:35.520 --> 00:15:44.010
crazy. I didn’t mention the FTP thing because I thought that was really damaging if all

00:15:44.010 --> 00:15:48.690
of a sudden I just threw those 70,000 people under the bus. I know full disclosure really

00:15:48.690 --> 00:15:53.280
should be full disclosure and today I probably would have done it a little differently.

00:15:53.280 --> 00:15:58.200
JACK: [MUSIC] Security blogs, websites, and news outlets saw Kyle’s disclosure and began

00:15:58.200 --> 00:16:02.370
writing articles about the glaring security flaw. They were able to articulate exactly

00:16:02.370 --> 00:16:08.220
how bad this issue was. Customers began getting upset and demanding Asus to fix the problem.

00:16:08.220 --> 00:16:14.850
KYLE: That got them in gear to at least fix a couple of the issues but the FTP

00:16:14.850 --> 00:16:19.110
issue went – remained unfixed through August and September.

00:16:19.110 --> 00:16:22.530
JACK: So Kyle e-mailed them again. This time Asus

00:16:22.530 --> 00:16:26.280
connected Kyle with someone from PR who’s also a liaison to developers.

00:16:26.280 --> 00:16:32.460
KYLE: He said, okay, well we’ll take a look at it but this is by design. This is by design.

00:16:32.460 --> 00:16:39.900
We call it, and I kid you not, infinite sharing. This is our infinite sharing,

00:16:39.900 --> 00:16:45.630
I don’t know, I guess you would call it, I don’t know, an upsell or something,

00:16:45.630 --> 00:16:50.400
that it was supposed to be so you could share with your – everybody. I

00:16:50.400 --> 00:16:53.880
said everybody? Like everything on your hard drive could be shared with them?

00:16:53.880 --> 00:16:56.370
JACK: This response did not satisfy Kyle.

00:16:56.370 --> 00:17:00.870
KYLE: I was like, oh, come the F on. Jesus Christ,

00:17:00.870 --> 00:17:07.560
no. But I just let it go at that point because they weren’t going to fix it.

00:17:07.560 --> 00:17:14.450
They knew about it but there’s really – sometimes you can’t really do anything.

00:17:14.450 --> 00:17:25.460
JACK: October passes. November passes. December and January pass. At this point all the bugs Kyle

00:17:25.460 --> 00:17:30.830
found were public knowledge. Partially from the clues he mentioned and partially because of the

00:17:30.830 --> 00:17:37.670
extra attention on Asus. The vulnerabilities he found were present on ten different Asus

00:17:37.670 --> 00:17:43.820
router models. Knowledge of this vulnerability continued to spread around the internet. Unwanted

00:17:43.820 --> 00:17:49.820
strangers were now going around looking into people’s files. It’s a high probability that

00:17:49.820 --> 00:17:56.720
every Asus FTP server was accessed by multiple strangers at this time. They probably looked

00:17:56.720 --> 00:18:02.480
through the files and took anything that looked interesting, and even uploaded files as a stash

00:18:02.480 --> 00:18:13.130
point. An unknown group of people tried to take matters into their own hands. They did a scan on

00:18:13.130 --> 00:18:18.980
the internet and looked for all vulnerable Asus routers and found just over ten thousand IPs

00:18:18.980 --> 00:18:24.170
that were running the anonymous FTP server. They accessed each one of these routers and

00:18:24.170 --> 00:18:29.120
left a note. It said, “Warning. You are vulnerable. This is an automated message

00:18:29.120 --> 00:18:34.040
sent to everyone who was affected. Your Asus router and your documents can be accessed by

00:18:34.040 --> 00:18:39.920
anyone in the world with an internet connection. Solution: completely disable FTP and AI Cloud

00:18:39.920 --> 00:18:46.130
immediately.” The note was signed by /G. This may mean the hackers originated from the technology

00:18:46.130 --> 00:18:52.700
board on 4Chan which uses /G as their name. The note also called this incident ASUSGATE.

00:18:52.700 --> 00:18:59.810
Let’s try to understand the feeling of being a victim to this. Imagine you go to sleep at night

00:18:59.810 --> 00:19:05.690
in your nice, cozy, safe, warm bed and sleep peacefully through the night. You wake up,

00:19:05.690 --> 00:19:10.670
walk into the bathroom, use the toilet, and when you look in the mirror there’s a note written on

00:19:10.670 --> 00:19:16.490
it telling you there has been a door open in your home for eight months and anyone can walk in.

00:19:16.490 --> 00:19:20.810
The creepiness feeling you get when you realize someone has been in your router looking at your

00:19:20.810 --> 00:19:27.350
files is unexplainable. It’s a feeling of being violated and it’s horrible. Asus customers were

00:19:27.350 --> 00:19:33.230
outraged that their hard drives and files were accessed. Now, because the FTP server did not

00:19:33.230 --> 00:19:38.210
have a password on it, it’s questionable whether accessing it is illegal or not. If there’s no

00:19:38.210 --> 00:19:44.090
restriction keeping people out, then some laws say it’s legal to access it. The hackers did

00:19:44.090 --> 00:19:49.880
not use any special tool, or bypass, or hack, or trick to access the files. They used a standard

00:19:49.880 --> 00:19:55.550
FTP client and no password was required to do what they did. Since Asus said this

00:19:55.550 --> 00:20:00.260
was a feature and not a security bug, then it’s even more likely that this act was not criminal.

00:20:00.260 --> 00:20:07.550
KYLE: That got Asus back in gear but Asus contacted me like I had done it. In fact,

00:20:07.550 --> 00:20:12.200
a couple of people were like oh, so why did you do that? I’m like, I didn’t do that. Some

00:20:12.200 --> 00:20:17.600
other group did. They had good intentions. They were just dropping a text file on their FTP but

00:20:17.600 --> 00:20:22.220
I certainly wouldn’t have done it in that manner if I had done something like that.

00:20:22.220 --> 00:20:26.990
JACK: The news of the hackers uploading notes to people’s routers made its way to major news

00:20:26.990 --> 00:20:31.250
networks. In fact, Kyle was even interviewed by CNN at one point to explain the situation.

00:20:31.250 --> 00:20:36.140
He was nervous about the interview and was impressed at how big the news had become.

00:20:36.140 --> 00:20:40.250
KYLE: It got fairly big and a little concerned for my first disclosure publically.

00:20:40.250 --> 00:20:46.520
JACK: Eventually Asus fixed all the bugs Kyle had reported, but after that Kyle found even

00:20:46.520 --> 00:20:51.920
more bugs in their fixed versions and reported them, too. Eventually Asus resolved these issues,

00:20:51.920 --> 00:21:02.920
too. A few years later in February 2016, United States Federal Trade Commission

00:21:02.920 --> 00:21:09.040
filed a case against Asus. The FTC believed a law may have been broken by Asus. Five months

00:21:09.040 --> 00:21:15.040
later a verdict is reached. The FTC saw proof that over 10,000 customers had their data accessed by

00:21:15.040 --> 00:21:20.650
an unwanted intruder. The FTC said Asus was not addressing security issues in a timely manner.

00:21:20.650 --> 00:21:25.990
Asus settled on the case and the FTC approved the following orders that Asus must comply with:

00:21:25.990 --> 00:21:31.870
Asus must not mislead their customers about security flaws. They must clearly notify their

00:21:31.870 --> 00:21:36.250
customers publically when a security update is available. They must conduct security audits on

00:21:36.250 --> 00:21:40.570
their products. This includes penetration testing, employee training, code reviews,

00:21:40.570 --> 00:21:46.330
risk assessments, and more. The security audits must be submitted to the FTC to prove they have

00:21:46.330 --> 00:21:52.480
taken place. If Asus failed to comply with any of these orders they will be fined $16,000 for

00:21:52.480 --> 00:21:59.500
each violation. The harshest part of the FTC orders is that the FTC is requiring audits

00:21:59.500 --> 00:22:06.910
to continue for the next twenty years. Asus has to comply with these orders until 2036. [MUSIC]

00:22:06.910 --> 00:22:14.280
KYLE: To this day there are still two to three thousand – and it’s how many years

00:22:14.280 --> 00:22:20.250
later? Three and a half years later? If you go on Shodan you’ll see two to

00:22:20.250 --> 00:22:24.930
three thousand people still have the old firmware on that exposes their entire FTP

00:22:24.930 --> 00:22:30.090
and therefore all of their internal hard drives they have plugged into the back of

00:22:30.090 --> 00:22:34.470
that router to the world as an anonymous reroute access, which is quite scary.

00:22:34.470 --> 00:22:38.730
JACK: Thousands of people remain vulnerable still because they simply haven’t patched their router.

00:22:38.730 --> 00:22:44.700
There’s a fix available but they either aren’t aware of it or don’t care to fix it. If you have

00:22:44.700 --> 00:22:50.460
an Asus router, it’s a good idea to keep it up to date and patched up. There are now new methods for

00:22:50.460 --> 00:22:55.170
security researchers to work with vendors to fix these problems. Some companies will offer a bounty

00:22:55.170 --> 00:23:00.270
reward for any security bugs found. These bounties can result in researchers making thousands of

00:23:00.270 --> 00:23:05.970
dollars by finding a single vulnerability. For the record, Kyle never did ask for bounty reward and

00:23:05.970 --> 00:23:10.980
nor was he offered any bounty reward for his findings in the Asus routers. The Department

00:23:10.980 --> 00:23:16.200
of Homeland Security has a branch called The US Computer Emergency Readiness Team, or US-Cert.

00:23:16.200 --> 00:23:22.470
KYLE: US-Cert has really stepped up its game. A lot of people now go to US-Cert who will do

00:23:22.470 --> 00:23:27.690
that work for them; that will get in touch with the vendor and do the disclosure and do

00:23:27.690 --> 00:23:33.960
it publically. Thank them for really stepping up and helping a lot of us. I don’t really have to

00:23:33.960 --> 00:23:39.240
do full disclosure hardly anymore because I can go to US-Cert on most items and say hey,

00:23:39.240 --> 00:23:42.090
can you help us out here? I’ve been trying to go with this vendor, they don’t want to

00:23:42.090 --> 00:23:45.600
be responsive, and kind of put the ball in their court because they’re working with DHS,

00:23:45.600 --> 00:23:53.370
they’re working with MITRE and some other people to do that kind of work for the community.

00:23:53.370 --> 00:23:57.230
JACK: I’m curious Kyle, what home router do you use today?

00:23:57.230 --> 00:24:03.060
KYLE: Oh, right now I have the Xfinity – they actually have two models. That one

00:24:03.060 --> 00:24:07.830
for 100 MBs streaming and one for the regular size streaming which I actually

00:24:07.830 --> 00:24:11.910
found a vulnerability with because the actual firmware of this and the router’s

00:24:11.910 --> 00:24:18.000
hardware itself is actually made by Cisco who I disclosed three zero-days on those.

00:24:18.000 --> 00:24:20.910
JACK: It sounds like no matter where Kyle looks,

00:24:20.910 --> 00:24:23.970
he finds bugs in these home routers and even business-class routers.

00:24:23.970 --> 00:24:27.870
KYLE: I think they’ve still got a long way to go and I still think that security is

00:24:27.870 --> 00:24:33.030
an afterthought in most of the vendors. Until that mentality changes and until

00:24:33.030 --> 00:24:38.430
they really put some thought into getting some good pen tester to test their product,

00:24:38.430 --> 00:24:40.052
we’re still going to continue to see these things.

00:24:40.052 --> 00:24:49.740
JACK (OUTRO): [OUTRO MUSIC] You’ve been listening to Darknet Diaries. For show notes and links check

00:24:49.740 --> 00:24:56.220
out darknetdiaries.com. Music is provided by Ian Alex Mac, Kevin MacLeod, and Tabletop Audio.

00:24:56.220 --> 00:24:59.070
[OUTRO MUSIC ENDS]