The ASUS Dumpster Fire
video description
Date: 2025-07-20
Related videos
Comments and reviews: 20
MechMK1
As a penetration tester myself, I can tell you that companies vary wildly in how they approach security. Some companies proactively hire penetration testers to actively test and try to exploit their software, sometimes even with source code available to immediately find such problems. Others see security as money spent without anything in return, because in this case, it's not Asus paying the price - it's consumers.
Also, regarding bug bounties: Usually payout is dependent on the criticality of a vulnerability. Criticality is very loosely defined as how likely is it to be exploited and how bad is it if exploited. While the severity of the DriverHub exploit is quite high, the likelihood is quite low. And for a company like ASUS, a bug bounty of like 2000 USD should be perfectly reasonable.
And regarding disclosure policies: It's usually common for vendors to ask security researchers for an embargo when it comes to client updates, meaning they ask the researcher to not publish their findings for a month or so, to give users enough time to update and fix the vulnerability before it becomes widely known. Asking for a preview would generally be fine, but giving them a say in what is being written is not. Furthermore, asking him to check if the fix has been fine basically is them asking him to perform a professional service in a professional capacity, aka they should hire him as a contractor.
reply
As a penetration tester myself, I can tell you that companies vary wildly in how they approach security. Some companies proactively hire penetration testers to actively test and try to exploit their software, sometimes even with source code available to immediately find such problems. Others see security as money spent without anything in return, because in this case, it's not Asus paying the price - it's consumers.
Also, regarding bug bounties: Usually payout is dependent on the criticality of a vulnerability. Criticality is very loosely defined as how likely is it to be exploited and how bad is it if exploited. While the severity of the DriverHub exploit is quite high, the likelihood is quite low. And for a company like ASUS, a bug bounty of like 2000 USD should be perfectly reasonable.
And regarding disclosure policies: It's usually common for vendors to ask security researchers for an embargo when it comes to client updates, meaning they ask the researcher to not publish their findings for a month or so, to give users enough time to update and fix the vulnerability before it becomes widely known. Asking for a preview would generally be fine, but giving them a say in what is being written is not. Furthermore, asking him to check if the fix has been fine basically is them asking him to perform a professional service in a professional capacity, aka they should hire him as a contractor.
reply
teaxtandard
17:08 Suggesting that developers should not verify that they actually fixed the reported, soon to be public bug is.. what's the term... Not Cool. Asking the researcher to verify that they actually fixed the reported flaw was the responsible thing for ASUS to do. Is the researcher obligated to test No, at least, not unless ASUS hires them. Should ASUS offer a bug bounty Yes. Should ASUS demand to review the researcher's blog post about it Absolutely not.
But the problem with demanding that developers be permitted no followup verification with bug reporters/security researchers stems from the fact that language is inherently ambiguous and vague. It is entirely possibly that the developer, while following the bug/flaw report's reproduction steps, that they stumble on a different, but similar looking bug and fix that. Verifying only internally will result in the originally reported bug going unfixed. This is a huge problem when the steps to exploit that bug are about to go public. A responsible developer should be reaching out to whoever reported the flaw to verify that yes, they did in fact fix the specific flaw that was reported.
reply
17:08 Suggesting that developers should not verify that they actually fixed the reported, soon to be public bug is.. what's the term... Not Cool. Asking the researcher to verify that they actually fixed the reported flaw was the responsible thing for ASUS to do. Is the researcher obligated to test No, at least, not unless ASUS hires them. Should ASUS offer a bug bounty Yes. Should ASUS demand to review the researcher's blog post about it Absolutely not.
But the problem with demanding that developers be permitted no followup verification with bug reporters/security researchers stems from the fact that language is inherently ambiguous and vague. It is entirely possibly that the developer, while following the bug/flaw report's reproduction steps, that they stumble on a different, but similar looking bug and fix that. Verifying only internally will result in the originally reported bug going unfixed. This is a huge problem when the steps to exploit that bug are about to go public. A responsible developer should be reaching out to whoever reported the flaw to verify that yes, they did in fact fix the specific flaw that was reported.
reply
morkaili
Fun fact: When Armoury Crate is installed, to be more specific any part of the RGB software inside of it (even if not fully installed and therfore functioning), ASUS owns various mice like the Chakram X Origin often does not work properly anymore.
For example a very common bug is that your mouse pointer freezes after starting the system / waking it up and/or a random function, be it moving, scrolling or any click might not work or behaves faulty. This mainly happens when the mouse is connected by cable. Bluetooth or 2,4ghz is rather uncommon.
ASUS is aware of this bug for years by now, but fails at fixing it. Which is a shame.
At least there are workarounds like detaching the cable and switch back and forth between the modi.
Another bug is that sometimes, out of the blue if a G.Skill device like a keyboard is attached to an ASUS Mainboard, the RGB software might crash or behave faulty for up to a minute at least a few times per hour. It's another bug ASUS is aware for years, but isn't fixing it.
Both might be critical security bugs.
reply
Fun fact: When Armoury Crate is installed, to be more specific any part of the RGB software inside of it (even if not fully installed and therfore functioning), ASUS owns various mice like the Chakram X Origin often does not work properly anymore.
For example a very common bug is that your mouse pointer freezes after starting the system / waking it up and/or a random function, be it moving, scrolling or any click might not work or behaves faulty. This mainly happens when the mouse is connected by cable. Bluetooth or 2,4ghz is rather uncommon.
ASUS is aware of this bug for years by now, but fails at fixing it. Which is a shame.
At least there are workarounds like detaching the cable and switch back and forth between the modi.
Another bug is that sometimes, out of the blue if a G.Skill device like a keyboard is attached to an ASUS Mainboard, the RGB software might crash or behave faulty for up to a minute at least a few times per hour. It's another bug ASUS is aware for years, but isn't fixing it.
Both might be critical security bugs.
reply
jasfkwyjibo
Something else to check out - I've got an Asus TUF-AX5400 router, it's vulnerable as it runs ASUS TUF-AX5400 Firmware version 3.0.0.4.388_24194. I've just tried downloading one of the three newer firmware versions, I can't get any of the downloaded files to match the SHA256 published with the download. Just as a check, I've tried re-downloading version 3.0.0.4.388_24194 and I can get that to match the one published with the download.
That just caused me a little panic as I was wondering briefly if they'd used their own routers and someone's now gained access to their downloads section and is modifying the BIOS downloads.
I think I've found out what the problem seems to be - they tell us to run the SHA-256 checksum on the UNZIPPED file, which I've been doing. 388.24194 successfully matches on the unzipped file. beyond that, it appears that they've changed this to be the checksum for the ZIP file itself, not the firmware file inside of it. Another poor look for them, causing a security alert while fixing a security alert. /facepalm.
reply
Something else to check out - I've got an Asus TUF-AX5400 router, it's vulnerable as it runs ASUS TUF-AX5400 Firmware version 3.0.0.4.388_24194. I've just tried downloading one of the three newer firmware versions, I can't get any of the downloaded files to match the SHA256 published with the download. Just as a check, I've tried re-downloading version 3.0.0.4.388_24194 and I can get that to match the one published with the download.
That just caused me a little panic as I was wondering briefly if they'd used their own routers and someone's now gained access to their downloads section and is modifying the BIOS downloads.
I think I've found out what the problem seems to be - they tell us to run the SHA-256 checksum on the UNZIPPED file, which I've been doing. 388.24194 successfully matches on the unzipped file. beyond that, it appears that they've changed this to be the checksum for the ZIP file itself, not the firmware file inside of it. Another poor look for them, causing a security alert while fixing a security alert. /facepalm.
reply
hondaland_
I have a Maximus xii board that came with an ROG USB with drivers on it. The board also has the dumb crate as well. Why both Why did we get rid of the CD/USB way of doing this. Then using the site like still exists. Why push all these other avenues when the originals still exist CD's i totally get why they are not included anymore. But at the price that we have paid for the hardware we should still be getting a fancy thumb drive with the drivers on it. Then maybe we can download a tool that keep that drive up to date with the latest, maybe even make version folders to allow easy rollbacking.
HL out
reply
I have a Maximus xii board that came with an ROG USB with drivers on it. The board also has the dumb crate as well. Why both Why did we get rid of the CD/USB way of doing this. Then using the site like still exists. Why push all these other avenues when the originals still exist CD's i totally get why they are not included anymore. But at the price that we have paid for the hardware we should still be getting a fancy thumb drive with the drivers on it. Then maybe we can download a tool that keep that drive up to date with the latest, maybe even make version folders to allow easy rollbacking.
HL out
reply
TurboDickpunch
I got the Asus ROG STRIX Z790-E Gaming WIFI a few years back because the motherboard i had ordered wasn't in stock and this was its equivalent and readily available. It has since fried a 13900K and then after the supposed firmware update that should prevent that, now also a 14900k. A USB bus keeps giving errors and outright refuses to install drivers. Bluetooth completely craps the bed if you try to update the drivers. Hope you can spread enough awareness to make this company go belly up. They are in fact the absolute worst. was a 500 mobo if memory serves.
reply
I got the Asus ROG STRIX Z790-E Gaming WIFI a few years back because the motherboard i had ordered wasn't in stock and this was its equivalent and readily available. It has since fried a 13900K and then after the supposed firmware update that should prevent that, now also a 14900k. A USB bus keeps giving errors and outright refuses to install drivers. Bluetooth completely craps the bed if you try to update the drivers. Hope you can spread enough awareness to make this company go belly up. They are in fact the absolute worst. was a 500 mobo if memory serves.
reply
justincox1685
These comments. I've been in IT for 30 years.From bench tech for CompUSA to working on R&D hardware for the AFRL. There is so much igorance here...not just the video but the comments. And Gamers Nexus is pushing their store and also trying to raise for money for some charity. What a shit show.
Steve: you said more than once that you are not cybersecurity experts but you still rail on Asus. Maybe consider getting some help here. I have issues with a lot of your videos but this feels like a hit piece founded in ignorance. You're better than this.
reply
These comments. I've been in IT for 30 years.From bench tech for CompUSA to working on R&D hardware for the AFRL. There is so much igorance here...not just the video but the comments. And Gamers Nexus is pushing their store and also trying to raise for money for some charity. What a shit show.
Steve: you said more than once that you are not cybersecurity experts but you still rail on Asus. Maybe consider getting some help here. I have issues with a lot of your videos but this feels like a hit piece founded in ignorance. You're better than this.
reply
UnhingedSystems
I'm certainly not trying to defend ASUS, but I have done several RMAs and they have never given me any hassle. Immediate replacement within a few weeks. In my case I provide a fully documented writeup of symptoms, troubleshooting steps, and what fixed it (generally known good hardware). I can admit that ASUS quality has definitely gone down over the last 3-4 years and their support doesn't appear to be very friendly to non-technical consumers. If only one of these companies could fight for the user (Can we get a Tron brand)
reply
I'm certainly not trying to defend ASUS, but I have done several RMAs and they have never given me any hassle. Immediate replacement within a few weeks. In my case I provide a fully documented writeup of symptoms, troubleshooting steps, and what fixed it (generally known good hardware). I can admit that ASUS quality has definitely gone down over the last 3-4 years and their support doesn't appear to be very friendly to non-technical consumers. If only one of these companies could fight for the user (Can we get a Tron brand)
reply
palladin9479
GamersNexus Even if you have Armory Create disabled in BIOS it will still install an Asus update service executable. Run services.msc to bring up the list of services and scroll down until you see AsusUpdateCheck. Disabling it doesn't help as it'll just have windows turn it back up on next reboot, instead you need to remove executable permissions from it's file, C:\Windows\System32\AsusUpdateCheck.exe. Strip SYSTEM access to that file and it can't start itself and Asus will no longer be able to interact with your computer.
reply
GamersNexus Even if you have Armory Create disabled in BIOS it will still install an Asus update service executable. Run services.msc to bring up the list of services and scroll down until you see AsusUpdateCheck. Disabling it doesn't help as it'll just have windows turn it back up on next reboot, instead you need to remove executable permissions from it's file, C:\Windows\System32\AsusUpdateCheck.exe. Strip SYSTEM access to that file and it can't start itself and Asus will no longer be able to interact with your computer.
reply
MaddJakd
As much as folk despise their stuff, an odd amount of folk still seem to flock to ASUS.
Doesn't help that ASUS makes OEM - ODM - and Server stuff (and in my case, one of few manufacturers in on Threadripper... they dropped the ball on that side too)
They all have their goldy and garbage options. Surely Asus has eared the hard avoid badge by now. Certainly have from me (where one can. Like sony sensors 90% are in that random smartphone dash cam and drone, Asus makes parts for may components and systems)
reply
As much as folk despise their stuff, an odd amount of folk still seem to flock to ASUS.
Doesn't help that ASUS makes OEM - ODM - and Server stuff (and in my case, one of few manufacturers in on Threadripper... they dropped the ball on that side too)
They all have their goldy and garbage options. Surely Asus has eared the hard avoid badge by now. Certainly have from me (where one can. Like sony sensors 90% are in that random smartphone dash cam and drone, Asus makes parts for may components and systems)
reply
jamilangon5798
building gaming PC:
freaks about cyber security and stuff but uses or downloaded pirated software that were littered by viruses, trojan and other tools.
wanting to have beefy VRM on low end motherboards and yet uses 65w variants of cpu
so what they do:
Buys Gigabyte, end up with a DoA board. Goes through RMA...gets the board and almost a year later, get issues with RAM, CPU and after that RMA period board dies (hopefully not with other components in the system unit)
reply
building gaming PC:
freaks about cyber security and stuff but uses or downloaded pirated software that were littered by viruses, trojan and other tools.
wanting to have beefy VRM on low end motherboards and yet uses 65w variants of cpu
so what they do:
Buys Gigabyte, end up with a DoA board. Goes through RMA...gets the board and almost a year later, get issues with RAM, CPU and after that RMA period board dies (hopefully not with other components in the system unit)
reply
julian-sark
Armory crate is such a sad joke. Their current download on the web is V6.1.18. My installed version on a ROG laptop is 6.2.11.0. How do I have a newer version than their current one The darn thing, including it's broken English, the shadowy modules it needs to download and the constantly failing Aura Creator add-in, of sorts, is such a nuissance and utter bloat. Just give me a tiny tool to set my keyboard colors and performance modes, without the rediculous branding bloat.
reply
Armory crate is such a sad joke. Their current download on the web is V6.1.18. My installed version on a ROG laptop is 6.2.11.0. How do I have a newer version than their current one The darn thing, including it's broken English, the shadowy modules it needs to download and the constantly failing Aura Creator add-in, of sorts, is such a nuissance and utter bloat. Just give me a tiny tool to set my keyboard colors and performance modes, without the rediculous branding bloat.
reply
Somebody3928
I believe you may like the term attack surface. It refers to the surface of an application, system, etc that is exposed to potential attacks. Listening on localhost is an example of increased attack surface, because now websites you visit can potentially interact with the software. Installing software nobody wants via BIOS could be viewed as a pointless increase of attack surface because it introduces additional software that can be attacked to people's computers.
reply
I believe you may like the term attack surface. It refers to the surface of an application, system, etc that is exposed to potential attacks. Listening on localhost is an example of increased attack surface, because now websites you visit can potentially interact with the software. Installing software nobody wants via BIOS could be viewed as a pointless increase of attack surface because it introduces additional software that can be attacked to people's computers.
reply
SlowMenThinking
UGGGHHHH!!!!! Got an ASUS mother board a year or so ago. Fortunately, I knew about disabling stuff in bios... I just can't afford to dump it. Although I'm 95% Linux use, there are 2 things I use windows for that are work related. I can see why they do it it's for the great unwashed who do not understand how to do the things that the blooded by 30 years of PC maintained know how to do, the unwashed just want it to work as easy as possible.
reply
UGGGHHHH!!!!! Got an ASUS mother board a year or so ago. Fortunately, I knew about disabling stuff in bios... I just can't afford to dump it. Although I'm 95% Linux use, there are 2 things I use windows for that are work related. I can see why they do it it's for the great unwashed who do not understand how to do the things that the blooded by 30 years of PC maintained know how to do, the unwashed just want it to work as easy as possible.
reply
Alex-bm9nb
Asus has always been bad at software support. It's been like this for decades. Hardware is top notch but they don't support it well with software. It's sad really. Motherbaords with their sh1tty driver which has security holes. Routers with firmware that make the routers unable to connect to WAN after a reboot and they just left it that way without ever fixing it and started releasing new products. It's just so r3tarded.
reply
Asus has always been bad at software support. It's been like this for decades. Hardware is top notch but they don't support it well with software. It's sad really. Motherbaords with their sh1tty driver which has security holes. Routers with firmware that make the routers unable to connect to WAN after a reboot and they just left it that way without ever fixing it and started releasing new products. It's just so r3tarded.
reply
sazanlip
Speaking of other vendors: MSI does this very thing as well, although, for them, there is a toggle in the setup utility. Since most builders forgo optical storage altogether these days, carving out some space in the motherboard for driver setup utility and whatnot is a welcome feature, especially since I have received my board without a disk. But I wonder if it can be exploited the same way as well.
reply
Speaking of other vendors: MSI does this very thing as well, although, for them, there is a toggle in the setup utility. Since most builders forgo optical storage altogether these days, carving out some space in the motherboard for driver setup utility and whatnot is a welcome feature, especially since I have received my board without a disk. But I wonder if it can be exploited the same way as well.
reply
gamersnexus
After what happend last year, I WILL NEVER BUY ANY ASUS PRODUCT, EVER AGAIN !! I have shout this out on many site's and YT video's. I also warned all my friends, to NEVER buy ASUS !
In my eyes, and experience ... ASUS is just SCUM !! ( They still owe me 120 euro ( on a combo cashback deal ) and after at least 7 emails back & fort, I just gave up , They can go to HELL !!
reply
After what happend last year, I WILL NEVER BUY ANY ASUS PRODUCT, EVER AGAIN !! I have shout this out on many site's and YT video's. I also warned all my friends, to NEVER buy ASUS !
In my eyes, and experience ... ASUS is just SCUM !! ( They still owe me 120 euro ( on a combo cashback deal ) and after at least 7 emails back & fort, I just gave up , They can go to HELL !!
reply
Intel-6969K
I was forced to use open RGB software to control the lights on my ASUS motherboard because ARMOURY CRATE would tank my FPS while gaming. Literally tested it against it installed vs from a backup OS system image with it not installed. Even after posting on forums etc I still never found out why it would do this. I would never trust it again even more so after this video.
reply
I was forced to use open RGB software to control the lights on my ASUS motherboard because ARMOURY CRATE would tank my FPS while gaming. Literally tested it against it installed vs from a backup OS system image with it not installed. Even after posting on forums etc I still never found out why it would do this. I would never trust it again even more so after this video.
reply
sammythesquib69
ASUS software has been neutorius for 13 years! chipset drivers on both chipset drivers ive bought x99 and x670e and their ai suite damn near blew my x99 cpu
i said in my previous rant about asus that im sure someone in their software department is trying to bring down the company, or otherwise doing their own stuff. who the hell is in their hiring department!!
reply
ASUS software has been neutorius for 13 years! chipset drivers on both chipset drivers ive bought x99 and x670e and their ai suite damn near blew my x99 cpu
i said in my previous rant about asus that im sure someone in their software department is trying to bring down the company, or otherwise doing their own stuff. who the hell is in their hiring department!!
reply
crabapple1974
We need a MB manufacturer that focuses on a lot fewer boards. Then they can support them properly and for longer. I think this is one of the causes of MB problems. Most of them have so many versions that I feel they cannot support them properly and they tend to bury their unsuccessful ones. I would pay for a MB focusing on reliability and support for a long time.
reply
We need a MB manufacturer that focuses on a lot fewer boards. Then they can support them properly and for longer. I think this is one of the causes of MB problems. Most of them have so many versions that I feel they cannot support them properly and they tend to bury their unsuccessful ones. I would pay for a MB focusing on reliability and support for a long time.
reply
Add a review, comment
Other channel videos
