IoT vendor Orvibo gives away treasure trove of user and device data

Two billion items of log data from devices sold by China-based smart IoT device manufacturer Orvibo was found by researchers at web privacy review service vpnMentor, who discovered the data in an exposed ElasticSearch server online.

Orvibo has been selling products for smart homes, businesses, and hotels since 2011, ranging from HVAC systems through to home security, energy management, and entertainment systems. The back-end database appears to have been logging system events from lots of them.

Researchers Noam Rotem and Ran Locar found logs from Orvibo devices in China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil, vpnMentor said in its report.

This data provides insights into the lives of Orvibo’s customers, creating potential security risks, it warned.

With over 2 billion records to search through, there was enough information to put together several threads and create a full picture of a user’s identity.

The logs discovered by the vpnMentor team contained various pieces of personal information, including email addresses, usernames, user IDs, and passwords. Orvibo’s developers had not only used the no-longer-recomended MD5 but also failed to use a salt, which is a random string combined with the password that makes hashed passwords far more difficult to recover.

The log data also included codes required for users to reset their accounts. The company said:

With this code accessible in the data, you could easily lock a user out of their account, since you don’t need access to their email to reset the password.

The code enables people to reset their email addresses too, meaning that an attacker could deny a user any chance of regaining their passwords.

Other information in the open database included family names, IP addresses, and the precise geolocation codes of the devices generating the logs. The logs displayed this data as latitude and longitude coordinates, vpnMentor said, adding:

This also demonstrates that their products track location in their own right, rather than determining location based on an IP address.

The researchers warned that attackers could use the logged data to disrupt a person’s home. For example, they could take control of security cameras, turn off electrical sockets and light switches, and even control smart locks.

Orvibo ignored repeated attempts by both vpnMentor and journalists at ZDNet to notify it of the breach over several weeks. As of Monday, the database was still publicly accessible, ZDNet reported.

Elastic turned off remote access to the free version of its software by default, binding it only to local addresses. However, users can change that configuration, potentially exposing their data to everyone if they made those servers public-facing. Executives have denied responsibility for the many online data leaks, pointing instead to inexperienced users.

The company recently seems to have caved to user concern, making changes to the default, free version of its ElasticSearch database by introducing security features that users previously had to pay for. These included TLS for encrypted communications, and native authentication (meaning that there’s finally an easy way to put password protection on public-facing ElasticSearch servers out of the box).

Nevertheless, persuading users to update the software and then configure the new, free features will be slow. Expect to see a lot more exposed ElasticSearch records like these in the meantime.