Chinese smart home vendor leaks over 2bn customer records

Chinese smart home solutions provider, Orvibo, has leaked over two billion user logs containing sensitive data of its customers across the globe, via an ElasticSearch server it left exposed on the Web with no password.

Orvibo runs SmartMate, a platform for managing smart appliances, including smart lighting, home security, HVAC, energy management, and home entertainment systems.

The misconfigured database was identified in mid-June by security researchers Noam Rotem and Ran Locar from vpnMentor, who shared their discovery with ZDNet and asked for assistance in notifying Orvibo.

The database includes more than 2 billion logs that record data, such as usernames, e-mail addresses and passwords, recorded conversations through smart cameras, as well as exact geo-locations. Affected users come from all over the world, including China, Japan, Thailand, the US, the UK, Mexico, France, Australia and Brazil.

The database leaked account reset codes that could enable attackers to lock Orvibo users out of their accounts without requiring the users' passwords.

Also, should hackers change both the password and the e-mail address, the account could be rendered unrecoverable, giving attackers total control of the victims’ smart home devices.

Moreover, unlocking users' smart door locks, combined with precise geo-location and schedules stolen from built-in calendar displays, leaves them at risk of home break-ins.

However, the company has failed to take any action to date. According to vpnMentor’s blog: “We first contact Orvibo via email on June 16. When we didn’t receive a response after several days, we also tweeted the company to alert them to the breach. They still have not responded, nor has the breach been closed.”

The researchers were clear: "As long as the database remains open, the amount of data available continues to increase each day.”

Ilia Kolochenko, founder and CEO of Web security company ImmuniWeb, said: “Unfortunately, overt negligence is not that uncommon amid IOT and smart home vendors. Most of them compete on a turbulent, aggressive and highly competitive global market and, in order to stay afloat, they have to slay internal security costs.”

He says this could result in their businesses facing private and class lawsuits, as well as penalties and fines imposed by regulatory authorities. There is no real recourse for individual victims other than to file a legal complaint and deactivate any remote management of their homes, if this is doable. Those who use the same or similar passwords should change them immediately. 

Even worse, says Kolochenko, is that many similar incidents are never reported to the vendors, and end up in the hands of cyber criminals. The more we entrust our daily lives to vendors who are not 100% trustworthy, the more detrimental and dangerous risks we will eventually face, he warns.