Recently, researchers discovered that smart home vendor from China leaked more than two billion records. Read on to know more about it…
Recently, researchers discovered that Chinese smart home vendor, Orvibo, has leaked more than two billion records containing customers’ sensitive data due to an exposed database. Orvibo firm manages smart appliances in a smart home, including security cameras, smart light bulbs, smart door locks, smart power plugs and other smart devices.
Orvibo is a high-end provider of smart solutions designed for managing houses, offices, and hotel rooms via smart systems, offering security and energy management, as well as remote control and data recording/analysis using a cloud platform.
Security researchers found an unprotected Elasticsearch database leaking billions of user records. The unprotected ElasticSearch database had been left connected to the Internet without a password. The database belonged to Orvibo, a China-based smart home solutions provider. The database exposed user records which contained sensitive data of its customers across the world. From the user logs, vpnMentor’s researchers identified that the customers were from China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil.
According to researchers from vpnMentor, who discovered this database, it contained over two billion records. The data exposed from the database of customers’ included email addresses, passwords, account reset codes, precise user geolocations, IP addresses, usernames, user IDs, device names, identities of devices accessing accounts and conversations recorded with smart cameras.
The vpnMentor research team also discovered that: “the video feed from the smart cameras is easily accessible by entering the owner’s account with the credentials found in the database”.
On top of this, it also had family names, family IDs, information on smart devices, devices that accessed the account and scheduling information. The researchers cautioned that this crucial information could have been used to permanently lock users out of their accounts. The records were captured in both China and English languages. However, the passwords were hashed using MD5 without salt.
With the availability of all this information from the vulnerable database, vpnMentor researchers suggest that attackers could easily launch attacks on homes that have Orvibo devices.
“A breach of this size has massive implications. Each device in Orvibo’s product catalog can have a different negative effect on its users. This is on top of having an abundance of identifying information about users. Much of the data can be pieced together both to disrupt a person’s home while possibly leading to further hacks,” the researchers wrote in a blog.
As of now, Orvibo has not responded to emails from vpnMentor regarding this breach. The database is yet to be secured.
Fortunately Orvibo hashes its users’ passwords, however they are hashed using MD5 without salt, which means that an attacker could crack the passwords and subsequently gain full control of the accounts.
“If Orvibo had added salt to their hashed passwords, it would have created a more complex string that is far more difficult to crack.”
Ilia Kolochenko, founder and CEO of ImmuniWeb commented.