More than two billion user logs containing information on Chinese home solutions company Orvibo’s customers were leaked after a database was left exposed.
The company sells a portfolio of 100 smart solutions to manage energy and security systems, such as lighting systems, home entertainment devices and HVAC, in homes, offices and hotel rooms via a smart home cloud platform.
Among the customer data exposed by the unprotected ElasticSearch cluster were: email addresses, passwords, user geolocation, conversations recorded with smart cameras, usernames and IDs, IP addresses, account reset codes, device names, identities of devices accessing accounts, schedules, and family names and IDs, according to vpnMentor researchers, led by Noam Rotem and Ran Locar, who discovered the database.
Because reset codes are among the data exposed, attackers could use the information to permanently lock Orvibo customers out of their accounts and eventually gain full control of their devices. "Orvibo does make some effort into concealing the passwords, which are hashed using md5 without salt," the vpnMentor report said.
In addition, “the video feed from the smart cameras is easily accessible by entering the owner’s account with the credentials found in the database," the report said.
“Unfortunately, such overt negligence is not that uncommon amid IoT and smart homes vendors,” said Ilia Kolochenko, founder and CEO of ImmuniWeb. “Most of them compete on a turbulent, aggressive and highly competitive global market and in order to stay afloat, they have to slay internal security costs.”
As a result, their business “may be ruined by private and class[-action] lawsuits, let alone penalties and fines imposed by regulatory authorities,” Kolochenko explained, noting victims don’t really have recourse but should change any similar passwords immediately.
“Worse, many similar incidents never go to the media, ending up in hands of cybercriminals,” he added. “The more we will entrust our daily lives to precarious vendors, the more detrimental and dangerous risks we will eventually face. In a couple of years, attackers will likely be able to conduct mass killings of unwitting users of many emerging technologies.”
The researchers reported their findings to Orvibo, but did not hear back, and contend that "as long as the database remains open, the amount of data available continues to increase each day."
Orvibo, too, could be found in violation of GDPR, a costly position to be in. “By failing to secure its EU customers’ data, Orvibo is susceptible to penalties under GDPR. And given the nature of this breach and the sensitive consumer data exposed, it would not be surprising to see further litigations taken on behalf of citizens in other countries, including the U.S. As more Chinese companies expand into the U.S. without taking proper security precautions, they expose themselves to lawsuits,” said Balbix CEO Jonathan Bensen, who pointed to China's Huazshu Group, which was sued in the Central District of California by a shareholder following a breach that exposed 123 million records of registration data.