ASUS rolled out an update to its firmware (3.0.0.6.102_34791) that now requires users to be over the age of 16 and to send a slew of metrics and data back to ASUS. If you do not agree or do not check the box to verify you are 16y or older, you cannot use the router. At this time, I’m not sure if ASUS has meant to disable the router for anyone under 16 or if it’s a bug.
You can opt out at any time but lose access to a slew of features:
Please note that users are required to agree to share their information before using DDNS, Remote Connection (ASUS Router APP, Lyra APP. AiCloud, AiDisk), AiProtection, Traffic analyzer, Apps analyzer, Adaptive QoS, Game Boost and Web history. At any time, users can search the contents of the terms at this page or stop sharing their information with other parties by choosing Withdraw.
Moreover, ASUS disables automatic firmware updates and worse, all security upgrades unless you opt into the data sharing. Security upgrades perform the following:
Security upgrade incorporates security measures that continuously update its security file and scans to protect against malware, malicious scripts, and emerging threats in order to secure the router and ensure system stability. Some upgrades addressing important security issues or meeting legal/regulatory requirements will still be downloaded and installed automatically, even if “Security Upgrade” is turned off.
Edit: I have personally contacted their CEO’s office, but if others would like to voice their disapproval as well, here is a link: https://www.asus.com/us/support/article/787/
If you own a router from ASUS and find OpenWRT too difficult:
install Asuswrt-Merlin
The data sharing happens on merlin too
It builds on devices’ source code published by ASUS. The is no data sharing with ASUS.
Merlin’s privacy disclosure:
The only outbound connection made with me by this firmware is when the firmware checks for availability of a new version.
That thread is about the official firmware as distributed by ASUS.
Here are some screenshots from my router administration pages. Notice the “Powered by Asuswrt-Merlin”.
In the first image you can see that I have a particular feature disabled.
When I toggle it on I receive a warning that my information will be collected by Trend Micro.
I included another screenshot showing the location where I would withdraw my consent to having my data collected, were I to actually use the advanced features of the router, that I thought I was paying for at the point of sale. Instead I was apparently paying for the privilege of having the option dangled in front of me, behind an agreement for yet another, separate company to collect my family’s data.
The title could use the word “router” somewhere.
Done 🙏
Fr. Had me thinking ASUS Motherboards. Really had me going there😅
They are next 🫠
New ASUS firmware now requires a user to be 16y or older router and will restrict features and even security upgrades if you opt out
Like that?
Wow thanks I never could have figured that one out myself!
New ASUS firmware now requires a user to be 16y or older router and will restrict features and even security upgrades if you router out
Missed a spot.
Fantastic. Time to deliver opnsense and/or pfsense to the masses. Or better, recycle a router with openwrt or similar
The data sharing persists even with merlin. I get a prompt about it as soon as I tried to enable those advanced features. I still get updates though.
That was the case before the update, but they didn’t bar security updates and firmware upgrades or not let you even into the router without consent. I had those disabled but the update makes opting in mandatory.
Merlin
That thread isn’t about Merlin firmware?
Here are some screenshots from my router administration pages. Notice the “Powered by Asuswrt-Merlin”.
In the first image you can see that I have a particular feature disabled.
When I toggle it on I receive a warning that my information will be collected by Trend Micro.
I included another screenshot showing the location where I would withdraw my consent to having my data collected, were I to actually use the advanced features of the router, that I thought I was paying for at the point of sale. Instead I was apparently paying for the privilege of having the option dangled in front of me, behind an agreement for yet another, separate company to collect my family’s data.
Yeah but that’s not new, that has existed for years even in Merlin firmware. People were saying that this affects Merlin but I’m not seeing any indication of it yet.
Yes I know ASUS is shitty and evil, and it sucks that those features are gated behind abandoning your privacy, but I was saying that part isn’t new, and I don’t think this new stuff affects Merlin yet.
We’ll see how it all plays out, though.
Sorry about that. I guess I completely missed your point that you were referring to data sharing only via the new “agreement” getting foisted on people. Fingers crossed it doesn’t get into Merlin.
THE YEAR OF OPENWRT!
/s not /s
openwrt is pretty nice
Unfortunately, lots of ASUS routers (especially the “gamer” oriented ones) use Broadcom chipsets. Broadcom support is severely lacking, (because Broadcom has refused to allow open source drivers) so in many cases switching to openwrt will severely cripple the router. Even basic shit like WiFi will stop working, because there isn’t a WiFi driver available.
this is dissapointing. the enshitification of asus in general has been dissapointing…
Fresh tomato does Broadcom.
Asus would do good in hiring a real lawyer. Parents accept, kid uses router, data collected of child, illegal. So easy to rip them a new one.
never use stock router firmware
You know, I’d 99% of the time agree with you but has anyone else tried out the little (travel?) routers from GL-iNet?
Their default router interface ain’t half bad at all, and if you do need to use Luci you can simply do that too
I bought a couple of them for a family member and they haven’t poked me once for help with them.
i dont blame you. GL-inet routers have always seemed so cool to me. always wanted to get one.
paired with the blue merle firmware it would be a godlike setup
https://github.com/srlabs/blue-merle
but i think blue merle is not being maintained anymore… is there any other firmware with similar functionality? like imei rotation, mac randomizer, etc? that you know of, even for similar hardware
Fraid not.
I recall worrying about MAC address tracking one time and using Chainfire’s MAC privacy app, but that’s a non factor now since they’re randomised by default on Android on the most recent versions.
Any other open source alternative you recommend?
On ASUS routers, the best choices are OpenWRT or Asuswrt-Merlin.
openwrt
Usually it’s OpenWRT
There is also FreshTomato if your router has Broadcom wifi chipset like mine does.
Broadcom sucks I would avoid it at all costs.
openwrt or ddwrt
If I bought one of their routers and this came up, I would simply be returning it and giving the person at the counter a printout as to why. Sorry, but this router is not “suitable for purpose”. Look up that phrase and “merchantability”.
Agree. Straight back for refund. In Australia we can legally choose the manufacturer, or the retailer. I’d go straight to Asus, to give them the message directly.
Trying to refund through Asus will result in them dragging their feet, being as unhelpful as possible, or claiming you damaged the product.
Which will result in federal agencies going straight up their arse.
Many countries outside the US have actual consumer protections
I would hope so, but Asus has been doing things like this for at least 10+ years which makes me doubtful that anything will change soon.
I’ve been down that road with Samsung. One mention of our consumer laws, with a link to the contact form where I can report them, and refund issued immediately. Australia has good laws. People just need to flex em.
I would rather not have less options in this world and force companies not to be dicks. I guess to each their own. My router is also 2y old so no returns available.
For the downvoters, in the US:
https://www.findlaw.com/consumer/consumer-transactions/what-is-the-warranty-of-merchantability.html
The implied warranty of merchantability guarantees that a product sold to you will work for its intended purposes. In other words, it means you can expect a toaster to toast your bread. If it doesn’t, you have legal protection against losing money on a product that doesn’t work.
If you bought the router expecting it to work as advertised, you may make a claim if it doesn’t. They would have to spell out ahead of time what the limitations and requirements are in order to avoid trouble.
You have no claim. The update does not disable the router and even if you opt out, the router itself still functions, except with a few additional features missing. Telemetry and data collection does not void a warranty. There is no claim here.
That would be for the legal system to decide. If you purchased it for a specific advertised feature, and that feature was disabled unless unspoken terms were agreed to, you would have a case.
Protecting your network from internet-bound threats is one of the most important jobs of a router, and that involves receiving security updates. Once your router no longer receives security updates, you should stop using it.
I guess I’m not updating my routers anymore then. Sucks though. It seemed to be the only Asus product that wasn’t garbage.
Look into OpenWRT. It is more complex to setup but it is a Swiss army knife.
That sucks too because you miss out security fixes. I would rather run a secure and up to date firmware that leaks data to ASUS than one with known security exploits. If those were my only options.
I’d rather update it as well. But the routers are behind my ISP router and aren’t externally accessible. The attack surface is smaller in that regard. I’m not happy with the thought of an unpatched router. Maybe I can hold out long enough for merlin to support my routers.
I dont think the latest few updates I did mentioned any security updates. Only bugfixes.
I’ll tackle the problem when it presents itself I guess.
I’m sure asuswrt-merlin won’t have this nonsense.
Routers aren’t supported by merlin unfortunately :(
Do you mean modems?
All you need is Protectli with OPNsense and cheap TP-Link in AP mode.
I just write letters to the websites I interact with. I get a good deal on stamps.
I don’t think that would have enough RAM
Give it a minute: Tech Jesus and his Nexus friends are having a great time with ASUS recently. I’m sincerely looking forward to how far they take things.
Who is this “Tech Jesus”?
Hello there
Stephen Burke, Editor-in-Chief and founder of Gamers Nexus. They do computer hardware reviews, consumer advocacy and sometimes even investigative journalism. Steve has a majestic mane, earning him that nickname.
See https://gamersnexus.net/ and https://www.youtube.com/@GamersNexus
Here is an alternative Piped link(s):
https://www.piped.video/@GamersNexus
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
Ah, fair enough.
I remember seeing that Openwrt is working on getting their own hardware sometime in the future. Might be worth looking at when the time comes. I’ll stick with merlin until that goes the same way.
Isn’t the Banana Pi R64/R3/R4 close enough to that?
I like Linksys for OpenWRT. They are cheaper and the chipset is often the same. They aren’t high performance devices by any stretch but they are pretty solid in my experience.
I do wish OpenWRT would partner with a existing company instead of trying to go alone. There are several companies that make hardware specifically for OpenWRT. It would be nice if they would just work to have a “certified by OpenWRT” badge. They could then donate a percentage of the sale to the project.
I’m seeing a few comments suggesting OpenWRT, which is what I use and love: the correct response to this level of capitalist tomfoolery should absolutely be to 1. buy hardware that supports FOSS out of the box, or 2. install FOSS firmware.
BUT: OpenWRT isn’t for everyone. Installation on supported devices is usually pretty easy, but it does require being invested in setup, maintenance, and understanding of the software. There is little built-in handholding, and most setup beyond basic functions requires reading the docs and wiki; sometimes, some functionality requires running commands directly on the device rather than the LuCI web-interface.
This kind of understanding and investment should be the end-goal of all privacy-oriented tech users. Technology is complicated, and each layer of handholding that devs add also necessarily obfuscates behind-the-scenes functionality, which runs counter to privacy and security. That being said, the barrier for entry to privacy-respecting tech shouldn’t be “a masters in CompSci,” and thus any alternative to major tech brands is still a step up from just accepting what they give you. Just be aware that your current firmware may be a stepping stone towards software freedom, instead of a stopping point.
Next DEFCON is in two months, can’t wait to see them get absolutely pwned.
