User details and unprotected passwords among data left publicly exposed for over two weeks
Orvibo, the makers of comprehensive smart home systems, has failed to secure a database which is now leaking billions of user records online to anyone who visits it. The company claims to have around one million users worldwide.
The database sits on a server without a password, which has been freely leaking the personal details of Orvibo customers online for the past two weeks, according to a vpnMentor report.
UPDATE: The vulnerability was made secure by Orvibo on July 2. Orvibo thanked vpnMentor for drawing attention to the insecure server, adding: "We officially apologize for the issue and announce that Orvibo has resolved the security vulnerability on July 2nd".
Original story continued:
Despite being warned about the open server two weeks ago, Orvibo has not secured it and fresh data has been seen on the server as recently as today, July 1. Orvibo sells smart locks, switches, sockets, curtains motors, security cameras, sensors and other connected devices.
The vpnMentor report states: "The database includes over two billion logs that record everything from usernames, email addresses, and passwords, to precise locations. As long as the database remains open, the amount of data available continues to increase each day."
The company sells a wide range of smart home devices, including security cameras and door locksOrvibo
Data logs for users have been found by vpnMentor in Orvibo's native China but also Japan, Thailand, the U.S., UK, Mexico, France, Australia and Brazil, said the report. "We expect that there are more users represented in the two billion-plus logs...The amount of data available is enormous," vpnMentor added.
Orvibo's website states a feature of its system is "Secure cloud. Reliable smart home cloud platform."
The incident highlights just how much data consumers willingly give to smart home devices. Unlike an email account, or even an online shopping profile, smart home devices — and especially platforms and management tools like Orvibo — gather up a deeply personal and detailed picture of each user.
Data discovered in the server, which was still available for anyone to see on July 1, included:
Account reset codes could be used by a malicious actor to reset the account of an Orvibo user, locking them out and taking control, all without knowing the actual password.
Orvibo's system also includes door locks and security cameras and, as the report points out, now that the server has publicly leaked billions of data logs, there is nothing secure about any of these devices. Having one installed in a smart home may well lesson its overall security. The report explains how it would be easy to log into a user's account to view a live feed from their security cameras, and unlock their door. Given the data also includes the precise geolocation of a user, breaking into their home would be simple.
Also troublesome is how the server included passwords which were hashed but not salted. In layman's terms, this means the passwords stored by Orvibo could, in some cases, be discovered and unencrypted, then used to log into a user's account without them knowing.
Researchers from vpnMentor were able to find their own password for an account they created on the server. Additionally, because some consumers will have undoubtedly used the same password in multiple places across the web, it wouldn't be too difficult for a malicious actor to find their email address and Orvibo password, then try those credentials elsewhere online, such as on Gmail in an attempt to log into an email account.
The report states: "Though Orvibo does hash its passwords, we tested the security ourselves to see how easy it was to discover the real password. In some cases, we uncovered our own password, but in others, we couldn't break the hash [encryption]...Though our chosen password was hashed, it was easy to crack."
The company claims its connected all-in-one system is better than traditional switches and socketsOrvibo
'Adding salt' to a hashed password strengths the encryption and makes it far more difficult to crack by adding random strings to the original data. Orvibo has not done this with the user passwords stored on its server — which also does not have a password.
This yet again highlights the need for consumers to use a strong and unique password every single time they are asked to create one — even if it is for a seemingly innocent smart home device.
As for how else a hacker could do with access to the database, vpnMentor explained: "Even a smart socket can be hacked to change the level of a user's energy consumption without their knowledge. Another scenario involves cutting power via smart plugs, which could potentially plunge a user into darkness at a time when they need good lighting. For plenty of people, this could be a dangerous situation."
Orvibo was first emailed by the security researchers about the exposed server on June 16, but is yet to reply to vpnMentor, and the server has still not been secured, as of July 1.