vpnMentor‘s team of “hacktivist” security researchers recently announced the discovery of an exposed database connected to Orvibo Smart Home products. The vulnerable account information exposed in the database includes 2 billion logs detailing everything from usernames and emails to passwords and precise device locations.
The Orvibo database, which has been closed as of July 2nd, 2019, included information from nearly a million users located across the globe. The company’s Internet of Things (IoT) products that were affected include 100 different varieties of smart locks, home security cameras, and full smart home kits. Data accessible via the database includes:
- Email addresses
- Account reset codes
- Precise geolocation
- IP address
- Family name
- Family ID
- Smart device
- Device that accessed account
- Scheduling information
The nature of the vulnerability is both appalling and surprisingly common: a misconfigured Elasticsearch database that was not password protected. By default, the Elasticsearch APITrack this API is not password protected. Forbes’ coverage of this news noted that breaches resulting from poorly managed Elasticsearch databases are becoming increasingly commonplace.
The potential for malicious use of access to this database is massive, but difficult to quantify. With each product allowing varying amounts and types of access to user data, the potential threats range from inconvenient to life-threatening. For example, hackers could easily turn smart sockets on and off without the device owner being aware of it, potentially starting fires. This is just one of many potential threats highlighted in the original reporting that illustrate how broad the ramifications from this exposure could have been.
As the Internet of Things continues to proliferate and we see the expansion of IoT platforms like Google's recently announced Cloud to IoT Device SDK, how can end-users trust that the devices that they let in their homes are properly secured? Even as recently as this morning it was announced that a vulnerability in the Zoom Mac client could allow a user’s webcam to be turned on without consent. Additionally, it can be difficult to pinpoint who is to blame when issues arise, as it could easily be argued that several parties are responsible for ensuring security, from manufacturers to IoT platform providers. With this in mind, it seems clear that the need for more strict industry standards and oversight will be critical going forward.