Chinese smart home device maker Orvibo leaked 2 billion data records
2 July 2019
Orvibo, a Chinese smart home solutions provider, recently left a huge database unprotected that contained over 2 billion user logs that recorded vast amounts of personal data such as usernames, email addresses, passwords, and precise locations of users.
Orvibo Smart Home sells its smart home devices and solutions to customer all over the world and over a million of its smart home or smart automation products have already been sold in overseas markets. Vast amounts of data collected by these devices are stored in a huge online database that was recently discovered by security researchers at vpnMentor.
Researchers Noam Rotem and Ran Locar, who discovered an unsecured and unencrypted MongoDB database in June that contained personally identifiable information (PII) of more than 78,000 patients in the United States who used a prescription drug named Vascepa, discovered Orvibo’s ElasticSearch database that was not secured by a password despite containing vast amounts of personal data.
Orvibo database contained unsalted passwords & precise user locations
After analysing the unprotected database, the researchers found that it contained data such as usernames, email addresses, passwords, account reset codes, precise geolocation, type of device, family names, family IDs, IP addresses, devices that accessed accounts, and scheduling information.
They noted that information available in the unprotected database was sufficient to allow hackers to carry out account takeovers and lock genuine users out of their accounts. Using account reset codes, a hacker can takeover an account without having to access a user’s email address to reset the password.
The exposed data logs also contained “precise longitude and latitude coordinates” of a user’s location which indicated that Orvibo’s smart home products tracked users’ locations on their own rather than determining location based on an IP address.
Smart Mirror, a product offered by Orvibo, shows the weather and displays schedules to customers. Data logs generated by smart mirror allowed researchers at vpnMentor to view precise information about a user’s calendar.
“A breach of this size has massive implications. Each device in Orvibo’s product catalog can have a different negative effect on its users. This is on top of having an abundance of identifying information about users. Much of the data can be pieced together both to disrupt a person’s home while possibly leading to further hacks,” the researchers noted.
They added that even though Orvibo hashed users’ passwords using the MD5 algorithm, it was remarkably easy to discover real passwords and to crack open the hashed ones. The fact that Orvibo chose not to salt user passwords made the idea of hashing them meaningless. “This especially highlights why it’s so important to choose strong passwords, especially when they’re connected to devices with uncertain levels of security,” they said.
“A number of the devices offered by Orvibo fall under the umbrella of “home security.” They include smart locks, home security cameras, and full smart home kits. With the information that has leaked, it’s clear that there is nothing secure about these devices. Even having one of these devices installed could undermine, rather than enhance, your physical security,” vpnMentor added.
Overt negligence a sad reality of today’s competitive business environment
Commenting on the exposure of over two billion data logs by Orvibo, Ilia Kolochenko, founder and CEO of ImmuniWeb, said that such overt negligence is not that uncommon amid IoT and smart homes vendors as most of them compete on a turbulent, aggressive and highly competitive global market and in order to stay afloat, they have to slay internal security costs.
“Consequentially, their business may be ruined by private and class lawsuits, let alone penalties and fines imposed by regulatory authorities. The victims don’t really have a recourse but to file a legal complaint and deactivate any remote management of their homes if it is doable. Those who use the same or similar passwords shall change them immediately.
“Worse, many similar incidents never go to the media, ending up in hands of cybercriminals. The more we will entrust our daily lives to precarious vendors, the more detrimental and dangerous risks we will eventually face. In a couple of years, attackers will likely be able to conduct mass killings of unwitting users of many emerging technologies,” he added.