Asus wireless routers running ASUSWRT firmware (in other words, anything
with an RT- in the model name) have a design flaw in which the
administrator web interface may be open to the public Internet even if you
have specifically disabled web access from the WAN.

Specifically, these routers have two separate controls that affect access
to the router web interface, and no warning that one can override the
other. In order to block public access to your router, both of the
following must be set:

Enable Web Access from WAN: No
Enable Firewall: Yes

If Enable Firewall is set to No, that will override WAN access setting,
with no warning, enabling anyone that knows your IP address to access your
router's administrative interface from anywhere in the world. The attacker
would still have to figure out your password, but this simple design error
makes it all to easy to think you have secured your router, and yet still
be vulnerable.

Looking over Shodan for other devices with banners consistent with Asus
routers, I see around 122,000 routers with a publicly-reachable HTTP
service.

I also find another 15,000 with a publicly accessible HTTPS service -
meaning the owner knew enough to restrict administrative access to an
secured login. I would expect most administrators that took the time to
restrict access to HTTPS, also took the time to restrict such access to
only local devices. In other words, 15,000 people made an effort to
secure their routers, and yet could still be pwned from an Internet
attacker.

This is true as of the most recent firmware available, version
3.0.0.378.9460 dated December 29, 2015. I have tested a beta firmware
release that fixes this situation, and expect it will be publicly released
shortly. In the meantime, both "Enable Web Access from WAN" and "Enable
Firewall" must be set properly in order to block public access to the web
UI.

Details, along with an export of the relevant iptables rules set by the
various settings, are at
http://www.securityforrealpeople.com/2016/02/poor-ux-leads-to-poorly-secured-soho.html


Regards,
David Longenecker

Connect: Blog <http://securityforrealpeople.com/> | @dnlongen
<https://www.twitter.com/dnlongen> | LinkedIn
<https://www.linkedin.com/in/dnlongen/>
PGP key: https://keybase.io/dnlongen