Skip to content
Naked Security Naked Security

IoT vendor Orvibo gives away treasure trove of user and device data

Researchers at web privacy review service vpnMentor discovered the data in an exposed ElasticSearch server online. It contains two billion items of log data from devices sold by Shenzen, China-based smart IoT device manufacturer Orvibo.

Two billion items of log data from devices sold by China-based smart IoT device manufacturer Orvibo was found by researchers at web privacy review service vpnMentor, who discovered the data in an exposed ElasticSearch server online.

Orvibo has been selling products for smart homes, businesses, and hotels since 2011, ranging from HVAC systems through to home security, energy management, and entertainment systems. The back-end database appears to have been logging system events from lots of them.

Researchers Noam Rotem and Ran Locar found logs from Orvibo devices in China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil, vpnMentor said in its report.

This data provides insights into the lives of Orvibo’s customers, creating potential security risks, it warned.

With over 2 billion records to search through, there was enough information to put together several threads and create a full picture of a user’s identity.

The logs discovered by the vpnMentor team contained various pieces of personal information, including email addresses, usernames, user IDs, and passwords. Orvibo’s developers had not only used the no-longer-recomended MD5 but also failed to use a salt, which is a random string combined with the password that makes hashed passwords far more difficult to recover.

The log data also included codes required for users to reset their accounts. The company said:

With this code accessible in the data, you could easily lock a user out of their account, since you don’t need access to their email to reset the password.

The code enables people to reset their email addresses too, meaning that an attacker could deny a user any chance of regaining their passwords.

Other information in the open database included family names, IP addresses, and the precise geolocation codes of the devices generating the logs. The logs displayed this data as latitude and longitude coordinates, vpnMentor said, adding:

This also demonstrates that their products track location in their own right, rather than determining location based on an IP address.

The researchers warned that attackers could use the logged data to disrupt a person’s home. For example, they could take control of security cameras, turn off electrical sockets and light switches, and even control smart locks.

Orvibo ignored repeated attempts by both vpnMentor and journalists at ZDNet to notify it of the breach over several weeks. As of Monday, the database was still publicly accessible, ZDNet reported.

Elastic turned off remote access to the free version of its software by default, binding it only to local addresses. However, users can change that configuration, potentially exposing their data to everyone if they made those servers public-facing. Executives have denied responsibility for the many online data leaks, pointing instead to inexperienced users.

The company recently seems to have caved to user concern, making changes to the default, free version of its ElasticSearch database by introducing security features that users previously had to pay for. These included TLS for encrypted communications, and native authentication (meaning that there’s finally an easy way to put password protection on public-facing ElasticSearch servers out of the box).

Nevertheless, persuading users to update the software and then configure the new, free features will be slow. Expect to see a lot more exposed ElasticSearch records like these in the meantime.

3 Comments

I don’t see MD5 as particularly an issue with passwords, as the ability to generate a collision is really an issue with generating fake certificates. Of course if you don’t salt it then you’re in (lots of) trouble, but that’s an issue with any hash you could have used… it’s not like it’ll take much longer to encrypt a list of 550M+ common passwords with SHA2 vs MD5. Ditto for getting your pet Bot-net to make some Rainbow Tables…

You’re right that MD5’s known weaknesses do not relate to the issue that crooks might create an input with a a known output easily, but that they can create two inputs with the same output. That is, indeed, a weaker sort of weakness. But MD5’s weaknesses do weaken trust in the overall algorithm so much that you should avoid it.

I’ll reword that bit to avoid the implication that MD5 is the real problem here. As you say, unsalted one-loop hashes of almost any sort are a huge no-no. Because speed. Because lookup tables. Etc.

Thanks for your attention. VpnMentor & ZDnet had updated ORVIBO already secured the vulnerability on July 2nd. Please help update in related article.

ORVIBO attaches great importance to user data security and keeps improving info security system.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?