The Chinese company, Orvibo, has leaked more than two billion records containing customers’ sensitive data due to an exposed database.
Researchers, Noam Rotem and Ran Locar, at vpnMentor discovered the database mid-June, and found that the exposed Orvibo database had included “over 2 billion logs that record everything”.
Orvibo is a company that manages smart appliances in a smart home, including security cameras, smart light bulbs, smart door locks, smart power plugs and more.
The unprotected ElasticSearch database had been left connected to the Internet without a password. The vpnMentor’s research team reached out to Orvibo however they have yet to respond back and the exposed database still remains online. The researchers stressed that “as long as the database remains open, the amount of data available continues to increase each day”.
Among the customer data were email addresses, passwords, usernames and IDs, IP addresses, user geolocation, conversations recorded with smart cameras, device names, account reset codes, identities of devices accessing accounts and more.
The database leaked the reset codes of accounts which potential attackers can utilise to lock Orvibo customers out of their accounts and consequently acquire full control of their devices. Additionally, by changing the password and email address – the Orvibo account can become unrecoverable.
The vpnMentor research team wrote that “the video feed from the smart cameras is easily accessible by entering the owner’s account with credentials found in the database”.
Fortunately Orvibo hashes its users’ passwords, however they are hashed using MD5 without salt, which means that an attacker could crack the passwords and subsequently gain full control of the accounts.
“If Orvibo had added salt to their hashed passwords, it would have created a more complex string that is far more difficult to crack.”
Ilia Kolochenko, founder and CEO of ImmuniWeb commented:
“Unfortunately, such overt negligence is not that uncommon amid IoT and smart homes vendors.
“Most of them compete on a turbulent, aggressive and highly competitive global market and in order to stay afloat, they have to slay internal security costs.”
She added that “the more we will entrust our daily lives to precarious vendors, the more detrimental and dangerous risks we will eventually face. In a couple of years, attackers will likely be able to conduct mass killings of unwitting users of many emerging technologies.”
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.