VpnMentor experts discovered a vulnerability in AsusWRT software that could allow attackers to gain access to the victim’s Wi-Fi network and connected to them smart devices, Amazon Alexa. Scammers could use this vulnerability to rob smart homes.
AsusWRT is a graphical web-based interface that allows configuring private Wi-Fi networks.The application acts as a centralized access point for devices connected to the Internet, including phones, tablets, laptops and other “smart” gadgets. This means that if their device’s security is compromised, AsusWRT users will be incredibly vulnerable to attack”, – reports vpnMentor’s research team, led by Noam Rotem and Ran Locar.
By exploiting the vulnerability, researchers were able to intercept IP addresses, usernames, device names, usage information, IFTTT commands, geographical coordinates (latitude and longitude), as well as data about the country and city. As the researchers noted, personally identifiable information was not visible. Nevertheless, by comparing all the data, the attacker can find out the physical address of the victim, and ultimately establish her identity.
Since the vulnerability allows gaining control over insecure devices on the AsusWRT network, there is a risk of robbery and fraud. Attackers can track users’ movements and find out when they are away from home. If the victim uses smart locks, robbers can open them using Amazon Alexa, connected to the AsusWRT network.
Read also: Phantom TVs steal money from Amazon users
According to vpnMentor, the vulnerability was discovered earlier by other researchers, but they did not notify Asus about it. Whether the vulnerability was exploited in real attacks is unknown.
It seems this data breach was also discovered by other researchers, but we have no information about their identity and when they found it. However, as they didn’t notify Asus of their discovery, the vulnerability remained in place”, — report vpnMentor specialists.
Although the vulnerability is currently closed, the consequences of falling into the hands of criminal hackers could be disastrous for users.
Advice from the Experts
Asus could have easily avoided this leak if they had taken some basic security measures to protect the AsusWRT database. Any company can replicate the following steps, no matter its size:
- Secure your servers.
- Implement proper access rules.
- Never leave a system that doesn’t require authentication open to the internet.
For a more in-depth guide on how to protect your business, check out how to secure your website and online database from hackers.
