Chinese smarthome vendor leaks billions of records including passwords

Chinese smarthome solutions provider, Orvibo, has had its publicly accessible ElasticSearch cluster leak more than two billion user logs containing sensitive customer data from countries around the world.

Orvibo is a high-end provider of smart solutions designed for managing houses, offices, and hotel rooms via smart systems, offering security and energy management, as well as remote control and data recording/analysis using a cloud platform.

In a blog post on their website, security firm, vpnMentor, who discovered the open database linked to Orvibo Smart Home products, stated that the exposed database: “includes over 2 billion logs that record everything from usernames, email addresses, and passwords, to precise locations.

They first contacted Chinese smarthome vendor, Orvibo, “via email on June 16. When we didn’t receive a response after several days, we also tweeted the company to alert them to the breach. They still have not responded, nor has the breach been closed”.

With the database still remaining open – the amount of data available continues to increase each day.

Smart home vendor Orvibo claims to have around a million users, including private individuals as well as hotels and other businesses that use Orvibo smarthome devices.

The vpMentor blog post continues: “this constitutes a massive breach of privacy and security with far-reaching implications. The data breach affects users from around the world. We found logs for users in China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil. We expect that there are more users represented in the 2 billion plus logs”.

Most alarmingly, the exposed database revealed account reset codes, which would allow bad actors to lock Orvibo users out of their accounts without the need for the users’ passwords. Also, by changing both the password and the email address, the account could be unrecoverable providing hackers with full control of compromised smarthome devices. Even further, by unlocking the users’ smart door locks, combined with precise geolocation information and user schedules from built-in calendar displays, users could be easily exposed to home invasion/burglary type crimes.

The vpnMentor research team also discovered that: “the video feed from the smart cameras is easily accessible by entering the owner’s account with the credentials found in the database”.

Accessible information on the exposed database included:

• Email addresses
• Passwords
• Account reset codes
• Precise user geolocation
• IP addresses
• Username & UserID
• Family name & Family ID
• Device name & Device that accessed account
• Recorded conversations through Smart Camera
• Scheduling information

Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, has commented on the findings: “Unfortunately, such overt negligence is not that uncommon amid IoT and smart home vendors. Most of them compete on a turbulent, aggressive and highly competitive global market and in order to stay afloat, they have to slay internal security costs. Consequentially, their business may be ruined by private and class lawsuits, let alone penalties and fines imposed by regulatory authorities. The victims don’t really have a recourse but to file a legal complaint and deactivate any remote management of their homes, if it is doable. Those who use the same or similar passwords (should) change them immediately.