FlexHub Forum

Off Topic => Anything goes => Topic started by: FlipFlop™ on April 12, 2015, 19:40:16

Title: Asus routers with AiProtection send full GET requests to Trend Micro
Post by: FlipFlop™ on April 12, 2015, 19:40:16
Asus currently sells wireless routers that include AiProtection powered by Trend Micro.
Since the Trend Micro software is closed source, it's a big mystery how Trend Micro protects the users from malicious sites and vulnerabilites and what data it sends out exactly.

So I've monitored some of it's behavior. I've noticed that one thing the router does (if you have enabled any part of AiProtection) is sending the full url of visited webpages to Trend Micro. Within between 20 seconds to a few minutes, a Trend Micro bot then connects to that exact same url, if your original url uses GET then it can even include your session tokens and all the other key/pairs that were in the original url. So it can receive an exact copy of the page you visited, even if you're logged in on a regular/unencrypted http:// website. I haven't monitored what happens with POST requests yet.

This means that Trend Micro can collect, monitor and store your complete browsing history and technically can even take over (unsecure) web sessions by using the token you use yourself. This is a huge privacy and security issue.

I recommend everyone who uses a router with AiProtection to completely disable it, and to take other security measures to make sure you don't get infected by malicious sites, and update firmware regularly to protect against vulnerabilities.
In this case the IP range of the Trend Micro botnet was always in the 150.70.*.* range, but that might not always be the case.

Hope this helps someone.

Greetz, FlipFlop