Security researchers have found a user database, consisting two billion records, “had been left exposed to the Internet without any password to protect it”, reports Forbes.
The information in the database belonged to Orvibo, a Chinese company that runs a smart home device management platform, and included: email addresses, passwords, precise geolocation, IP address, username, userID, family name and ID, smart device, device that accessed account, scheduling information, and account reset codes.
The researchers from vpnMentor, led by Noam Rotem and Ran Locar, stated that reset codes “would be sent to a user to reset either their password or their email address. With that information readily accessible, a hacker could lock a user out of their account without needing their password. Changing both a password and an email address could make the action irreversible.”
Regarding Orvibo’s home security devices, including smart locks, home security cameras and full smart home kits, the researchers stated: “With the information that has leaked, it’s clear that there is nothing secure about these devices. Even having one of these devices installed could undermine, rather than enhance, your physical security.”
Rather un-prophetically, the Orvibo website states that the company “supports millions of IoT devices and guarantees the data safety.”
However, the researchers found this safety was lacking and the “breach methodology itself was shockingly predictable: a misconfigured and Internet-facing Elasticsearch database without a password.” If this wasn’t bad enough, a Kibana web-based app, there to make navigating through the data easier, had no password protection.
Orvibo makes around 100 smart home or smart automation devices and claims to have more than a million users around the world, including private individuals with smart home systems, hotels and business customers. VpnMentor reported it found information for users in China, Japan, Thailand, Mexico, France, Australia, Brazil, the United Kingdom and the USA.
It’s unknown if anyone has taken advantage of the vulnerability (yet) and, as of July 1, the database was still accessible with no password protection.