ASUS' ROUTER APP has been fingered by vpnMentor's security researchers for leaking customer data and exposing users of Amazon's Alexa.

The web-based AsusWRT allows users to create a private WiFI network within their home network, offering a graphical user interface to make doing so a doddle. It also connects to Amazon Alexa-enabled devices.

This all sounds fine and dandy, but vpnMentor reported that a vulnerability had been discovered by some anonymous security boffins and prompted it to do some digging as Asus had not been informed about the vulnerability.

The vulnerability itself is a classic unsecured and unencrypted database, which according to vpnMentor, meant if some nefarious cybercrim types came across the data it contained - IP addresses, user names, device names, and location, among other titbits - they could cross-reference that information with publicly available data and figure out a user's location. Then, by hacking the AsusWRT interface, they could gain access to a user's network and the devices connected to it.

The data leak also exposed Amazon Alexa voice logs, with would give hackers an idea of how people are using the virtual assistant and allow them to tailor attacks based on those behaviours; tailor phishing attacks based on a person's habits and preferences, for example.

Furthermore, the researchers noted that the exposed data could help criminals carry out a bit of targeted burglary.

"Hackers can use hijacked devices to track user behaviour while at home, work out when a residence is unoccupied, and plan robberies with minimal risk to the thieves," they said. "If the targeted AsusWRT user has smart lock devices, hackers can access these to open doors via the compromised AsusWRT and Alexa devices."

This is worrying stuff, but it would rely on malicious tyes coming across the unsecured database and to put in a good bit of legwork to exploit the data they could have swiped.

It's a bit moot now as Asus has closed the leak. But it does once again highlight how even tech-savvy companies seem to have rather dumb security holes, with a lack of server security and data protection implementation leaving unassuming customers vulnerable to the opportunistic cybercriminals that lurk on the internet. µ