Exposed Orvibo database leaks two billion records

More than 2 billion user logs containing information on Chinese home solutions company Orvibo’s customers were leaked after a database was left exposed.

The company sells smart solutions to
manage energy and security systems, such as lighting systems, home
entertainment devices and HVAC, in homes, offices and hotel rooms via a smart
home cloud platform.

Among the customer data exposed by the unprotected ElasticSearch cluster were: email addresses, passwords, user geolocation, conversations recorded with smart cameras, usernames and IDs, IP addresses, account reset codes, device names, identities of devices accessing accounts, schedules, and family names and IDs, according to vpnMentor researchers who discovered the database.

Because reset codes are among the
data exposed, attackers could use the information to lock Orvibo customers out
of their accounts and eventually gain full control of their devices.

In addition, “the video feed from the smart cameras is easily
accessible by entering the owner’s account with the credentials found in the
database,” the report quoted the researchers as saying. 

“Unfortunately, such overt negligence
is not that uncommon amid IoT and smart homes vendors,” said Ilia Kolochenko, founder and CEO of ImmuniWeb. “Most of them compete on a turbulent, aggressive and highly competitive
global market and in order to stay afloat, they have to slay internal
security costs.”

As a result, their business “may be ruined by private and class[-action] lawsuits, let alone penalties and fines imposed by regulatory authorities,” Kolochenko explained, noting victims don’t really have recourse but should change any similar passwords immediately.

“Worse, many similar incidents never go to the media, ending up in hands of cybercriminals,” he added. “The more we will entrust our daily lives to precarious vendors, the more detrimental and dangerous risks we will eventually face. In a couple of years, attackers will likely be able to conduct mass killings of unwitting users of many emerging technologies.”

The researchers reported their findings to Orvibo, but did not hear back. Bleeping Computer cited the researchers as saying that “as long as the database remains open, the amount of data available continues to increase each day.”

Comments are closed.