Report: Orvibo Smart Home Devices Leak Billions of User Records
vpnMentor‘s research team has uncovered a massive, potentially harmful leak in Orvibo’s user database. The leading VPN comparison sites’ expert cybersecurity research team, led by Noam Rotem and Ran Locar, discovered an open database linked to Orvibo Smart Home products. The company manufactures 100 different smart home and smart automation products and has over a million worldwide users. These include private individuals who connect their homes, as well as hotels and other businesses with Orvibo smart home devices.
The database includes over 2 billion logs that record everything from email addresses and passwords, to precise locations of users around the world. Logs were found for users in China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil.
Despite several attempts to contact Orvibo since June 16, when the leak was uncovered, no response has been received and no action has been taken on the breach. Worryingly, as long as the database remains open, the amount of data available continues to increase each day.
Examples of Entries in the Database
The amount of data available from Orvibo’s servers is enormous. It’s also highly specific, showcasing just how much data smart home devices can collect about their users.
Data Included in the Breach:
- Email addresses
- Account reset codes
- Precise geolocation
- IP address
- Username & UserID
- Family name & Family ID
- Device name & Device that accessed account
- Recorded conversations through Smart Camera
- Scheduling information
For a breakdown of the data accessible, including screenshots, please see the Appendix here.
Data Breach Impact
A breach of this size has massive implications due to both the nature of the devices within Orvibo’s product catalog and the abundance of identifying information about users freely available. Much of this data can be pieced together to disrupt a person’s home, while possibly leading to further hacks. The key impacts of the hack include:
- Password Access – Though Orvibo does hash its
passwords, when vpnMentor tested the security it was easy to crack many
passwords despite the hashing. If Orvibo had added salt to their hashed
passwords, it would have created a more complex string that is far more
difficult to crack.
- Account Reset Codes Found In Data Logs – These would be sent to a user to reset either their password or their email address. Hackers using these could lock a user out of their account without needing their password. Changing both a password and an email address could make the action irreversible and give the hacker full control of their smart home devices.
- Smart Socket Takeover – It’s possible to cut the power via smart plugs, which could potentially plunge a user into darkness. If this occurred at a place of business, for example, this would likely lead to lost revenue. Alternatively, if someone were to change the settings of a socket without the user’s knowledge, it could lead to a situation where a major appliance, such as an oven, would turn on and heat up unattended.
- Smart Home Security Breach – Orvibo manufacture a number “home security” devices, including smart locks, home security cameras, and full smart home kits. There’s enough information leaked from the database to take over a user’s account. The video feed from one of Orvibo’s smart cameras is easily accessible by entering the owner’s account with the credentials found in the database. It would also be easy to unlock a door from the same account and, with precise geolocation, this simplifies home break-ins – an event smart homes are supposed to help protect against.
- Stolen Schedules – Orvibo’s smart mirror includes built-in weather displays as well as a calendar. Some users had very detailed information about their schedules recorded through the smart mirror. Should someone want to follow a user outside of their home, or to know when they would be out, they could find the information they need to do so by combing the scheduling data in the database.
- Entertainment Hijacking – Orvibo manufactures two home entertainment devices. One device is the Magic Cube Wifi IR Controller; another is the ZigBee controller. At its most basic level, a hacker could take control of these devices to ruin a user’s TV or movie experience. However, with easy control of the TV, a hacker could turn it on and raise the volume at an inconvenient time. Anyone could find themselves on the line for noise disturbances, with the impact worsening when the victim is a business.
- Business Issues – Hackers could easily take a whole business’ network offline with a fully connected set of these smart home items, which would result in a direct loss of revenue and a loss of customer trust. When an entire building or dwelling relies on connected technology for security, an outage can stop the whole operation.
These issues are an increasing problem when it comes to The Internet of Things (all of the smart devices that communicate with one another via an internet connection). As an industry that’s still relatively young, there are a lot of security issues that need to be addressed by manufacturers while they still can.
Advice from the Experts
There are several security measures that Orvibo could have taken that would have helped prevent this breach. Below, you can find a few essential tips that can help you prevent or patch a vulnerable database.
- Secure your servers.
- Implement proper access rules.
- Never leave a system that doesn’t require authentication open to the internet.
For a more in-depth guide on how to protect your business, check out how to secure your website and online database from hackers.
For more information on this massive data leak, the full report can be found here.
How We Discover Breaches
We discovered this breach as part of our web-mapping project. Our team of cybersecurity experts examines ports looking for known IP blocks. Using these blocks, Noam and Ran can search for vulnerabilities in a web system. When the team does discover leaked data, they use their technical understanding to confirm who the database belongs to.
After finding a leak, we contact the owner of the database to alert them to the vulnerabilities in the system. When possible, we will also contact those affected by the data breach. Our goal with this project is to promote a safe and secure internet for all users.
About Us and Previous Reports
vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.
We recently discovered a huge data breach impacting 80 million US households. We also revealed that Gearbest experienced a massive data breach. You may also want to read our VPN Leak Report and Data Privacy Stats Report.