News

Two Billion Records Exposed in 'Smart Home' Breach

Giulio Saggin
Giulio Saggin
Tuesday 28 November 2023

Security researchers have found a user database, consisting two billion records, "had been left exposed to the Internet without any password to protect it", reports Forbes.

The information in the database belonged to Orvibo, a Chinese company that runs a smart home device management platform, and included: email addresses, passwords, precise geolocation, IP address, username, userID, family name and ID, smart device, device that accessed account, scheduling information, and account reset codes.

The researchers from vpnMentor, led by Noam Rotem and Ran Locar, stated that reset codes "would be sent to a user to reset either their password or their email address. With that information readily accessible, a hacker could lock a user out of their account without needing their password. Changing both a password and an email address could make the action irreversible."

Regarding Orvibo's home security devices, including smart locks, home security cameras and full smart home kits, the researchers stated: "With the information that has leaked, it's clear that there is nothing secure about these devices. Even having one of these devices installed could undermine, rather than enhance, your physical security."

Rather un-prophetically, the Orvibo website states that the company "supports millions of IoT devices and guarantees the data safety."

However, the researchers found this safety was lacking and the "breach methodology itself was shockingly predictable: a misconfigured and Internet-facing Elasticsearch database without a password." If this wasn't bad enough, a Kibana web-based app, there to make navigating through the data easier, had no password protection.

Orvibo makes around 100 smart home or smart automation devices and claims to have more than a million users around the world, including private individuals with smart home systems, hotels and business customers. VpnMentor reported it found information for users in China, Japan, Thailand, Mexico, France, Australia, Brazil, the United Kingdom and the USA.

It's unknown if anyone has taken advantage of the vulnerability (yet) and, as of July 1, the database was still accessible with no password protection. Read the full report by vpnMentor.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203