Exposed Orvibo database leaks two billion records

News by Teri Robinson

Reset codes are among the data exposed at Orvibo, making it easier for attackers could use the information to lock the customers of the Chinese home solutions company out of their accounts and eventually gain full control of their devices

More than two billion user logs containing information on Chinese home solutions company Orvibo’s customers were leaked after a database was left exposed.

The company sells smart solutions to manage energy and security systems, such as lighting systems, home entertainment devices and HVAC, in homes, offices and hotel rooms via a smart home cloud platform.

Among the customer data exposed by the unprotected ElasticSearch cluster were: email addresses, passwords, user geolocation, conversations recorded with smart cameras, usernames and IDs, IP addresses, account reset codes, device names, identities of devices accessing accounts, schedules, and family names and IDs, according to vpnMentor researchers who discovered the database.

Because reset codes are among the data exposed, attackers could use the information to lock Orvibo customers out of their accounts and eventually gain full control of their devices.

In addition, "the video feed from the smart cameras is easily accessible by entering the owner’s account with the credentials found in the database," the report quoted the researchers as saying. 

"Unfortunately, such overt negligence is not that uncommon amid IoT and smart homes vendors," said Ilia Kolochenko, founder and CEO of ImmuniWeb. "Most of them compete on a turbulent, aggressive and highly competitive global market and in order to stay afloat, they have to slay internal security costs."

As a result, their business "may be ruined by private and class[-action] lawsuits, let alone penalties and fines imposed by regulatory authorities," Kolochenko explained, noting victims don’t really have recourse but should change any similar passwords immediately.

"Worse, many similar incidents never go to the media, ending up in hands of cybercriminals," he added. "The more we will entrust our daily lives to precarious vendors, the more detrimental and dangerous risks we will eventually face. In a couple of years, attackers will likely be able to conduct mass killings of unwitting users of many emerging technologies."

The researchers reported their findings to Orvibo, but did not hear back. Bleeping Computer cited the researchers as saying that "as long as the database remains open, the amount of data available continues to increase each day."

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews