Menu

Two Billion Records Exposed in ‘Smart Home’ Breach

Comments Off on Two Billion Records Exposed in ‘Smart Home’ Breach

Security researchers have found a user database, consisting two billion records, “had been left exposed to the Internet without any password to protect it”, reports Forbes.

The information in the database belonged to Orvibo, a Chinese company that runs a smart home device management platform, and included: email addresses, passwords, precise geolocation, IP address, username, userID, family name and ID, smart device, device that accessed account, scheduling information, and account reset codes.

The researchers from vpnMentor, led by Noam Rotem and Ran Locar, stated that reset codes “would be sent to a user to reset either their password or their email address. With that information readily accessible, a hacker could lock a user out of their account without needing their password. Changing both a password and an email address could make the action irreversible.”

Regarding Orvibo’s home security devices, including smart locks, home security cameras and full smart home kits, the researchers stated: “With the information that has leaked, it’s clear that there is nothing secure about these devices. Even having one of these devices installed could undermine, rather than enhance, your physical security.”

Rather un-prophetically, the Orvibo website states that the company “supports millions of IoT devices and guarantees the data safety.”

However, the researchers found this safety was lacking and the “breach methodology itself was shockingly predictable: a misconfigured and Internet-facing Elasticsearch database without a password.” If this wasn’t bad enough, a Kibana web-based app, there to make navigating through the data easier, had no password protection.

Orvibo makes around 100 smart home or smart automation devices and claims to have more than a million users around the world, including private individuals with smart home systems, hotels and business customers. VpnMentor reported it found information for users in China, Japan, Thailand, Mexico, France, Australia, Brazil, the United Kingdom and the USA.

It’s unknown if anyone has taken advantage of the vulnerability (yet) and, as of July 1, the database was still accessible with no password protection.

Related Articles

ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
Menu
Live Chat
RESOURCES
Menu
Get Started
TOOLBOX
Menu
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook Twitter Google-plus Wordpress
Do NOT follow this link or you will be banned from the site!