Report: Asus Router App Leaks Customer Data and Exposes Alexa Users

Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data leak in the AsusWRT, a web-based app from Asus that allows users to manage their wifi network.

AsusWRT is a graphical interface app that combines with an Asus router to create a private wifi network in a user’s home. This grants an AsusWRT user complete control over their network and any devices connected to it.

AsusWRT becomes a centralized access point for all internet devices in your home, including any phones, tablets, or laptops connected to the network. The app also works with smart devices and Amazon Alexa products. 

This means that if their device’s security was compromised, AsusWRT users would be incredibly vulnerable to attack. The leak our team discovered did exactly that. It gave hackers unprecedented access to a user’s home network and the ability to hijack devices therein, including Amazon Alexa.

While the leak is now closed, the consequences of this information getting into the hands of criminal hackers could be disastrous for users.

Timeline of Discovery and Owner Reaction

It seems this data breach was also discovered by other researchers, but we have no information about their identity and when they found it. However, as they didn’t notify Asus of their discovery, the vulnerability remained in place.

As ethical hackers, our team takes careful attention and time to understand a breach and what’s at stake. Once we established the facts and potential dangers of this leak, we notified Asus and offered our help. 

We work hard on publishing accurate and trustworthy reports, to ensure everybody who reads them understands their seriousness. Some affected companies deny our findings and disregard our research. So we need to be thorough and make sure everything we find is correct and true.

In this case, Asus took swift action to close the leak.

• Date discovered: 15/09
• Date vendors contacted: 15/09
• Date of Response: 15/09
• Date of Action: 15/09

Examples of Entries in the Database

While no personally identifiable information (PII) data was viewable in the AsusWRT database, the leak still allowed access to highly sensitive user information and was a goldmine for hackers. 

The user data we viewed included:

• IP Address
• User’s name
• Device Name (John Doe’s iPhone)
• Usage information, IFTTT commands
• Longitude & Latitude coordinates
• Location: Country & City
• Commands

The leak affected AsusWRT users across the globe, with user data available from every continent.

By cross-referencing the leaked data with publicly available information, hackers can easily identify a user’s identity and address. For example, using someone’s longitude & latitude coordinates and IP address, a hacker could pinpoint users’ physical street address.

The other data available, such as the device name, eg. “John Doe’s iPhone”, and wifi name, would confirm the address.

Hackers from various regions could target AsusWRT users in their local area, or sell the information across the globe. 

Hacking Amazon Alexa

The leak also contained logs of user actions via Amazon Alexa devices connected to a router using AsusWRT.

These logs gave insight into user behavior on the affected Alexa devices and any smart device connected to them. With this information, hackers can target users in several ways, online and offline.

Data Breach Impact

By hacking the AsusWRT interface, attackers and criminals could hijack any linked Alexa and smart device connected to the router. They could also access any unprotected device within the router’s network.

Device Takeover

By hacking any linked Alexa device, hackers could command certain actions via the database. Any apps that use Alexa commands - email, financial apps, smart devices, etc. - become vulnerable. 

Any action or access these apps give users can be hijacked by attackers for their gain.

For example, if an AsusWRT user accesses a bank account app using Alexa voice commands, this leak exposes the login credentials for their financial accounts.

Robbery

Hackers can use hijacked devices to track user behavior while at home, work out when a residence is unoccupied, and plan robberies with minimal risk to the thieves.

If the targeted AsusWRT user has smart lock devices, hackers can access these to open doors via the compromised AsusWRT and Alexa devices.

Various Forms of Fraud

This leak gives hackers access to an entire network of devices connected to a router using AsusWRT.

With this access, hackers and criminals can embed many attacks on these devices: malware, ransomware, spyware, viruses, etc. They can compromise users’ email addresses and personal accounts, extracting additional sensitive PII data.

Hackers can use all this information and illicit access to further target users for exploitation, financial fraud, and extortion.

Advice from the Experts

Asus could have easily avoided this leak if they had taken some basic security measures to protect the AsusWRT database. Any company can replicate the following steps, no matter its size:

1. Secure your servers.
2. Implement proper access rules.
3. Never leave a system that doesn’t require authentication open to the internet.

For a more in-depth guide on how to protect your business, check out how to secure your website and online database from hackers.

For AsusWRT Users

If you’re concerned you’ve been compromised in this leak, contact Asus directly to find out what steps they’re taking to minimize potential dangers. 

In the meantime, uninstall AsusWRT and disconnect any device from your home network. You can reconnect them once AsusWRT has been removed. When Asus releases a patch that changes much of the exposed information and boosts the app’s security, you can re-install AsusWRT safely.

If you’re concerned about data vulnerabilities in general, read our complete guide to online privacy. It shows you the many ways you can be targeted by cybercriminals, and the steps you can take to stay safe.

How and Why We Discovered the Breach

The vpnMentor research team unveiled the breach in Asus's database during an extensive web mapping endeavor. Our cybersecurity professionals employ port scanning methods to scrutinize distinct IP blocks and assess system vulnerabilities by probing open spots. They meticulously inspect each identified weak point for any signs of data leakage.

When they find a data breach, they use expert techniques to verify the database’s identity. We then alert the company to the breach. If possible, we will also alert those affected by the breach.

Our team was able to access this database because it was completely unsecured and unencrypted.

The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via a browser and manipulate the URL search criteria into exposing schemata from a single index at any time.

The purpose of this web mapping project is to help make the internet safer for all users.

As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. This is especially true when the data breach contains sensitive information or allows hackers high-level access to a network user’s home devices.

However, these ethics also mean we carry a responsibility to the public. AsusWRT users must be aware of a data breach that impacts them also.

About Us and Previous Reports

vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.

We recently discovered a huge data breach impacting 80 million US households. We also revealed that a breach in Biostar 2 compromised the biometric data of over 1 million people. You may also want to read our VPN Leak Report and Data Privacy Stats Report.

[Publication date: 19.09.2019]