IoT vendor Orvibo leaves user and device data dump on exposed server

Orvibo manufacturers over a 100 different smart home and automation products and boasts a million users

A database belonging to IoT vendor Orvibo containing 2 billion data logs has been discovered by researchers on an exposed ElasticSearch server.

China-based Orvibo manufacturers smart home products for consumers, hotels and businesses, including security, energy management, and home entertainment systems. The exposed database included usernames, email addresses, passwords and precise locations belonging to the company’s global user base.

vpnMentor, the researchers who found the data dump, said they found logs for users in China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil.

The researchers alerted Orvibo to the exposed server on June 16th, but the manufacturer failed to respond or close the breach until 2 July. The size of the database increased each day Orvibo failed to lock it up.

The researchers said the breach had massive implications and that the data could be pieced together to disrupt smart homes remotely.

“There was enough information to put together several threads and create a full picture of a user’s identity,” the researchers added in a blog post.

“Even a smart socket, for example, can be hacked to change the level of a user’s energy consumption without their knowledge. Another scenario involves cutting power via smart plugs, which could potentially plunge a user into darkness at a time when they needed good lighting.”

To make matters worse, Orvibo used the insecure MD5 hashing mechanism to hash user passwords, making them easy to crack. The company also failed to use a salt, which is a random string added onto an existing password before it is hashed. Salting creates a more complex string that is difficult to crack and is considered best practice when storing passwords.

“Even with strong passwords, however, Orvibo’s database included a dangerous piece of information,” the researchers added.

“When examining their records, we found account reset codes in the data logs. These would be sent to a user to reset either their password or their email address. With that information readily accessible, a hacker could lock a user out of their account without needing their password.”

According to security vendor Irdeto, 82 percent of IoT vendors are concerned the devices they make are not adequately secured from cyber attacks.