The feature in question, called AiDisk, is designed to give users access to a hard drive plugged directly into a router's USB port. The feature is supported on a number of Asus router models, some of which have been on the market for over a year. All router manufacturers offer similar functionality on certain models.
Users who choose to plug a hard drive into their router might not be aware that Asus uses standard FTP (File Transfer Protocol) to make the drive function as a server, using your router's uniquely identifiable IP address. Such servers can be detected and accessed by anyone with an Internet connection, with very little effort. The routers also broadcast their model numbers by default, further inviting anyone who is familiar with the flaw. Visitors might have a casual interest in your server's contents, or they might have malicious intent-it's only a strong password that can keep them out. Unfortunately, in an effort to make FTP sharing completely transparent to users, Asus selected a default configuration option that does not require a password at all.
News site Thehackernews.com reports that Asus has acknowledged the problem and has committed to releasing a firmware patch for the affected models that will prompt users to configure a suitable password upon activating the feature. However it's impossible to estimate what percentage of affected users will install the patch or even be aware that it exists.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.