Smart Home Data Vulnerability Highlights Inherent Risk of IoT Proliferation

vpnMentor‘s team of “hacktivist” security researchers recently announced the discovery of an exposed database connected to Orvibo Smart Home products. The vulnerable account information exposed in the database includes 2 billion logs detailing everything from usernames and emails to passwords and precise device locations.

The Orvibo database, which has been closed as of July 2nd, 2019, included information from nearly a million users located across the globe. The company’s Internet of Things (IoT) products that were affected include 100 different varieties of smart locks, home security cameras, and full smart home kits. Data accessible via the database includes:

  • Email addresses
  • Passwords
  • Account reset codes
  • Precise geolocation
  • IP address
  • Username
  • UserID
  • Family name
  • Family ID
  • Smart device
  • Device that accessed account
  • Scheduling information

The nature of the vulnerability is both appalling and surprisingly common: a misconfigured Elasticsearch database that was not password protected. By default, the Elasticsearch APITrack this API is not password protected. Forbes’ coverage of this news noted that breaches resulting from poorly managed Elasticsearch databases are becoming increasingly commonplace. 

The potential for malicious use of access to this database is massive, but difficult to quantify. With each product allowing varying amounts and types of access to user data, the potential threats range from inconvenient to life-threatening. For example, hackers could easily turn smart sockets on and off without the device owner being aware of it, potentially starting fires. This is just one of many potential threats highlighted in the original reporting that illustrate how broad the ramifications from this exposure could have been.

As the Internet of Things continues to proliferate and we see the expansion of IoT platforms like Google's recently announced Cloud to IoT Device SDK, how can end-users trust that the devices that they let in their homes are properly secured? Even as recently as this morning it was announced that a vulnerability in the Zoom Mac client could allow a user’s webcam to be turned on without consent. Additionally, it can be difficult to pinpoint who is to blame when issues arise, as it could easily be argued that several parties are responsible for ensuring security, from manufacturers to IoT platform providers. With this in mind, it seems clear that the need for more strict industry standards and oversight will be critical going forward. 

Be sure to read the next Internet of Things article: Google Launches Local Home SDK as Developer Preview

 

Comments (1)

RoksolanaK

Thanks for the article. Oh, yes we have so quick IoT development in, on the one hand, it's very cool because we can build a great future according to the statistics, there are 26.66 billion IoT connected devices around the globe. The main purpose of IoT is to make the lives of people more convenient and efficient. Artificial intelligence and advanced analytics can help create a more intelligent work environment. But it only in kindly minds the future of IoT looks bright and promising. However, there’s one constraint IoT devices face in all these sectors and it is not only connectivity and communication between all the devices — good and quality security which safe our life.