AsusWRT Exposes Sensitive User Information via an Unprotected Database

• A database containing information about AsusWRT users and settings was exposed. 
• No one knows how long it has been leaking data, but the researchers claim that others already knew about it.
• An attacker could use the data to extort, track, steal payment info, steal credentials, or phish the victim.

The Asus router app named "AsusWRT", which people use to configure and manage their WiFi network comfortably, has exposed an undisclosed number of user PII (personally identifiable information). According to researchers Noam Rotem and Ran Locar of the vpnMentor team, the data breach was discovered on September 15, and it was acknowledged by Asus immediately. However, the two claim that other researchers already knew about the accessible database, so it is very likely that the data will soon find its way to darknet marketplaces.

The security of AsusWRT is a crucial matter since it serves as a central point for all internet-enabled devices, including Amazon Alexa and other IoTs. The PII that was exposed in this incident include the following:

• IP Address
• User’s name
• Device Name (John Doe’s iPhone)
• Usage information, IFTTT commands
• Longitude & Latitude coordinates
• Location: Country & City
• Commands

The real names of the people are missing from the database entries, but a capable hacker could very easily figure them out from the rest of the exposed information. Moreover, the fact that the leak contained Amazon Alexa's "user actions" exposes the people to several online and offline attack scenarios, including phishing, extortion, impersonation, and many more. By using all of the above, an attacker could very easily compromise any device that is connected to the router.

This has significant complications in the case of Alexa again. An attacker could potentially send fake email messages through Alexa devices, edit financial app files, steal payment information that is used for Amazon online purchases, grab login credentials, and generally wreak havoc in the online life of the victim. Even if nothing is stolen, a hacker could track the victim, figure out when they’re not at home, and then plan and execute robberies.

If you have been using AsusWRT thus far, you should uninstall it immediately and disconnect all devices from your home network. Asus will soon release a patch that fixes the leak, but until then, you shouldn’t take the risk. This is another reminder that using "centralizing" applications and systems may be comfortable, but they come with a risk of broad and multi-level exposure.

Are you currently using AsusWRT? Will you be trusting the software from now on? Share your thoughts with us in the comments section down below, or on our socials, on Facebook and Twitter.