Alexa users around the world have had their data compromised after an Asus wi-fi controller app has leaked information in an unprotected Elasticsearch database, a report from the cybersecurity experts from vpnMentor. The leak focuses on the users of the AsusWRT, a web-page app that is connected to an Asus router to serve as a centralized controller for a home’s wi-fi network.
The vpnMentor’s research team led by cybersecurity experts Noam Rotem and Ran Locar discovered an unprotected database using an Elasticsearch server that contains the data of the AsusWRT app users. Because of the data leak, devices connected to the Asus router and are controlled by the app have been compromised and was left vulnerable to different attacks, the researchers said in a blog disclosure.
AsusWRT is a graphical interface app that connects to an Asus router in order to create a private wi-fi network in a user’s home, giving the app user complete control over the wi-fi network and the devices that are connected to it, the researchers explained. Since the AsusWRT becomes a centralized controller that works on different kinds of devices, including smart home appliances and Amazon’s Alexa, the leak that the researchers were able to discover has put the users in “incredible risks.”
“This means that if their device’s security was compromised, AsusWRT users would be incredibly vulnerable to attack. The leak our team discovered did exactly that. It gave hackers unprecedented access to a user’s home network and the ability to hijack devices therein, including Amazon Alexa,” the researchers noted.
While the researchers confirmed that the unprotected database did not contain personally identifiable information (PII), it still contains enough information for malicious actors to initiate dangerous attacks against the users of the AsusWRT app. The data contained in the database includes:
- IP Address
- User’s name
- Device Name (John Doe’s iPhone)
- Usage information, IFTTT commands
- Longitude & Latitude coordinates
- Location: Country & City
vpnMentor researchers noted that by using a combination of the data that can be found in the database, a malicious actor could track the identity of a user and initiate a far worse attack against them.
“By cross-referencing the leaked data with publicly available information, hackers can easily identify a user’s identity and address. For example, using someone’s longitude & latitude coordinates and IP address, a hacker could pinpoint users’ physical street address,” they said.
The leak also contained logs of user actions via Amazon Alexa devices connected to a router using AsusWRT, the cybersecurity experts added. This means that whoever gains access to the database will also be able to get insights into user behavior on the affected Alexa devices, and any smart device connected to them. The researchers said that the information contained therein is enough for a hacker to target affected users both online and offline.
The researchers from vpnMentor confirmed that the leak has already been contained, and the unprotected database has already been taken offline. They added that when they contacted Asus, the company was very “swift” in taking the appropriate actions to mitigate the leak.