Orvibo data leak puts security spotlight on IoT back end

Researchers at virtual private network (VPN) testing and review service vpnMentor have discovered a publicly accessible database belonging to Chinese firm Orvibo, which runs a platform for managing smart home appliances for customers around the world, including the UK and the US.

The database for the platform, called SmartMate, was found to have no password protection, despite containing more than two billion logs that relate to around two million customers’ smart home devices, underlining the huge volume of data that internet of things (IoT) devices typically collect.

The security implications are huge because these SmartMate logs record details including usernames, passwords protected only using the MD5 hashing algorithm without salt protection, account reset codes and even the precise location of IoT devices belonging to individuals, hotels and other businesses.

As long as the database remains open, the amount of data available continues to increase each day, exposing customers to the risk of account takeover by malicious actors, vpnMentor warned in a blog post.

Despite several attempts to contact Orvibo since 16 June, the vpnMentor researchers said they have received no response and the database continues to be exposed.

A breach of this size, the researchers said, has massive implications because much of the data can be pieced together both to disrupt a person’s home while possibly leading to further hacks.

The account reset codes, they said, could be especially dangerous because these would enable a hacker to lock a user out of their account without needing their password, and by changing both the password and the email address, the hacker would make the action irreversible.

The vpnMentor researchers recommend that Orvibo and other firms managing IoT devices should ensure that they secure servers, implement proper access rules, and never leave a system that does not require authentication open to the internet.

Ben Herzberg, director of threat research at security firm Imperva, said misconfigurations that leave servers open and vulnerable is something that continually resurfaces, adding that Orvibo’s lack of a response and remediation of the leaky server is irresponsible and extremely dangerous.

“Once servers are left open, it takes barely any time for attackers to become aware of the vulnerability and take over. In our research, we saw that specific to Redis servers, 75% of the open servers were taken over in cryptojacking schemes.

“When these systems are left open attackers have a variety of options, they can either use the data to their advantage, take over resources, or work themselves even further into the networks of the organisation and infiltrate additional resources,” he said.

According to Herzberg, the fact that passwords are simply hashed, but not salted, increases the likelihood that hackers could crack them to reveal the passwords. These cracked passwords could then be used in credential stuffing attacks, which are enabled by password re-use.

But password re-use across multiple accounts in still extremely common, said Anurag Kahol, CTO at security firm Bitglass. “This means that if a cyber criminal obtains a single password, then they can potentially gain access to a number of accounts across multiple services that their victim uses.

“Basic password protection is a must for organisations looking to protect their sensitive data in the cloud. Organisations should authenticate their users to ensure that they are who they say they are before granting them access to IT resources.

“Fortunately, multifactor authentication [MFA] and user and entity behaviour analytics [UEBA] are two tools that can help companies to defend customer information as well as the rest of their corporate data.”

Kahol also warned that because Orvibo makes and manages smart locks and internet-connected cameras, it is possible that a hacker could unlock doors and turn off security cameras, facilitating break-ins and burglaries. “This is a prime example of how poor cyber security can also foster physical security threats,” he said.

Jake Moore, cyber security specialist at Eset, said the discovery of the SmartMate logs highlights the sheer magnitude of endless possibilities open to poor security on IoT devices.

“By not looking after personally identifiable and confidential data at the back end of a website has just as much risk attached as not using a password at all.

“It is unknown if anyone has taken advantage of this flaw yet, and I’d hope it would be patched quite quickly now it is out. What a criminal hacker could do with this goes as far as their imagination will take them,” he said.