Smart home management platform Orvibo is leaking billions of its user logs on an exposed server, putting its customers at risk of having their smart home devices being taken over by intruders.
The Chinese firm runs SmartMate, a platform for managing smart appliances such as security cameras, thermostats and smart lightbulbs.
A database containing over two billion user logs, including usernames, email address, hashed passwords and precise location data, was left exposed on an Orvibo-owned server without password protection.
Other exposed data includes IP addresses, user IDs, family names and IDs, smart device details, scheduling information and account reset codes.
The Orvibo data leak was discovered in mid-June by researchers at vpnMentor, a privacy review website.
“The data breach affects users from around the world. We found logs for users in China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil,” the vpnMentor research team wrote in its report. “We expect that there are more users represented in the 2 billion plus logs.”
It is unknown whether a malicious actor accessed the server, which was available via an ElasticSearch database that aggregated Orvibo user data. But with such a wealth of data, a threat actor with access to it could use it to carry out a variety of real-world attacks via compromised smart home technology.
“For example, by using the leaked information to gain unauthorised access to a user’s account, a hacker could orchestrate a robbery, turn off the power, or even spy on users through SmartMate-connected cameras,” said Chris DeRamus, co-founder and CTO at DivvyCloud, a US cybersecurity firm.
In one redacted example, the vpnMentor researchers showed the contents of a user’s leaked calendar that was linked to a smart mirror.
The leaked reset codes also mean that an intruder could lock Orvibo users out of their accounts.
Poor standards in the IoT industry
The misconfiguration is yet another example of lax security within the internet of things (IoT) industry that occurs when manufacturers prioritise getting a product to market without proper security considerations.
“This just highlights the sheer magnitude of endless possibilities open to poor security on IoT devices,” said Jake Moore, cybersecurity specialist at cybersecurity firm ESET. “By not looking after personally identifiable and confidential data at the back end of a website has just as much risk attached as not using a password at all.
“Criminal groups may have been aware of this vulnerability but it is unknown if anyone has taken advantage of this flaw yet and I’d hope it would be patched quite quickly now it is out. What a criminal hacker could do with this goes as far as their imagination will take them.”
The Orvibo website states on its ‘about us’ page that:
“With strength on IoT, AI and cloud computing technologies, ORVIBO provides more secure, energy-saving & comfortable smart home solutions for customers worldwide.”
Last year the British government launched an IoT Code of Practice to address poor security practices in the sector. However, experts pointed out that because by making it voluntary it did not go far enough.
Orvibo data leak: Are penalties coming?
Perhaps most worryingly, the Orvibo data leak is yet to be patched. That’s despite repeated attempts by ZDNet and vpnMentor to notify Orvibo of the data leak without any response from the Shenzen-based company.
Given that US and European users are among those affected by the leak, the smart home platform maker’s poor response may come back to bite it in terms of regulatory action.
“By failing to secure its EU customers’ data, Orvibo is susceptible to penalties under GDPR,” said Jonathan Bensen, CISO at Balbix, an AI-focused cybersecurity platform. “And given the nature of this breach and the sensitive consumer data exposed, it would not be surprising to see further litigations taken on behalf of citizens in other countries, including the US.
“As more Chinese companies expand into the US without taking proper security precautions, they expose themselves to lawsuits. For example, China-based Huazshu Group was sued last October by a Huazshu shareholder in the Central District of California after the company’s breach of 123 million records of registration data.”
Since publication, Orvibo has acknowledged and apologised for the data leak on Twitter:
“We sincerely apologise for this issue and thanks for vpnMentor’s report. Once we received this report on July 2nd, ORVIBO’s RD team took immediate actions to resolve data leak vulnerability. As a IoT company, ORVIBO always focuses on improving system security.”
The company added that it has upgraded its password encryption methods, the protection on user account and password resetting, as well as “strengthening coordination with cybersecurity companies to improve our security system”.
ORVIBO took immediate actions to resolve data leak vulnerability as bellows:
1.Upgraded encryption mechanism of password.
2.Upgrade the protection on users account and password resetting.
3.Strengthening cooperation with cyber security companies to improve our system security.
— ORVIBO (@ORVIBO) July 2, 2019