Software for ASUS routers caused a data leak across potentially dozens of the devices, according to researchers at vpnMentor. More succinctly, the breach centered around the AsusWRT web app. ASUS fixed the problem quickly on its end. But, making matters worse, the leak has been around for some time. According to vpnMentor, other researchers had previously found the leak but did not report it to ASUS.
In effect, the team found that ASUS had incidentally left the database behind the web app unguarded by encryption or other protective measures. A relatively straightforward port scanning method revealed the existence of the leak. From there, researches accessed the database using a browser and URL search criteria manipulation.
The researchers, led by vpnMentor’s Noam Rotem and Ran Locar, haven’t provided exact details regarding the number of affected users. But the problem appears to be global and every user of the management software is at risk. The full impact of leaks isn’t always completely realized immediately either.
The data that the leak centers on isn’t necessarily going to be personally identifiable. Researchers say they were able to take advantage of the breach to find users’ IP Address, name, device name, use information, longitude, latitude, country, and city. That data can be used and linked to other easily discoverable information, however.
Perhaps more worrisome, when routers utilize AsusWRT, the web app effectively becomes a central node to not just access network devices. It stores and manages, and controls those too. The leak also potentially handed out IFTT commands and other smart home device commands.
In effect, that prepares a number of potential attack vectors for malicious entities. For example, a malicious entity might use location-based data alongside Alexa or other smart home commands. In particular, that information could be used to plan and execute physical attacks against a residence or business. The researchers point to theft and robbery as a high-level risk from the leak.
The smart home command data could potentially pave the way for cyberthreats all on its own. Specifically, the researchers point to email, financial apps, and direct control over smart devices as a serious risk. That’s especially pertinent with consideration for just how much data those devices can hold and the aspects of a home they can control.
All of that is in addition to the traditional attacks enabled by a breach. Bad actors could potentially use the data to launch further cyberattacks, commit identity fraud, or compromise personal accounts.
ASUS’s response to reports about the issue was swift but that doesn’t mean the problem is necessarily solved. VpnMentor told ASUS about the leak in its routers on September 15, the same day it discovered. The company responded to that and reportedly fixed it on the same day as well.
Regardless of that swift response, vpnMentor goes on to say this was easily preventable and that a patch won’t necessarily protect everybody. In fact, the researchers claim that AsusWRT still isn’t safe to use. Because of that, the team is cautioning users to disconnect everything from their networks. Then, they’ll need to uninstall the web app and user an alternative — only reconnecting devices after AsusWRT is gone.
The software will be safe to use again once a full patch has been released, changing the exposed database and bolstering security.
Users should also contact ASUS directly with concerns about the breach.