More than 2 million records have been compromised due to an unsecured online database that contains sensitive information, including the precise location of the devices manufactured by Orvibo, a smart-home manufacturing company.
Orvibo, a China-based tech company that manufactures more than 100 products and smart systems for homes, hotels, and offices including remote home monitoring, alarm systems, and entertainment devices.
According to a report published by vpnMentor, their cybersecurity team led by Noam Rotem and Ran Locar discovered an open database online that includes sensitive information from customers of Orvibo. The database contains over 2 billion logs that record everything from usernames, email addresses, and passwords, to precise locations. And they warn that the database is still growing in number as it remains open.
Scope of impact
Researchers believe that the scope of the breach includes different countries including China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil as the company claims to have around a million users.
The team behind the discovery has contacted Orvibo since June 16, 2019, but failed to respond to the report, and the database is still open as of writing.
“The amount of data available from Orvibo’s servers is enormous. It’s also highly specific, which shows just how much data smart home devices can collect about their users,” reads the report.
The compromised data contained in the unsecured database includes email addresses, passwords, account reset codes, precise geolocation, IP address, username, userID, family name, family ID, smart device, device that accessed account, and scheduling information.
Among the disclosed information, researchers are particularly worried by the fact that the exact geolocation of the device is also contained in the database. And it is not just their street address per se; it’s the exact longitude and latitude coordinates of the victims’ homes.
“The precision of the coordinates can lead us to a user’s exact address. This also demonstrates that their products track location in their own right, rather than determining a location based on an IP address,” the report added.
To make matters worse, the database includes email addresses, user password, and reset keys — which allows whoever gets hold of a copy of the database to lock out a legitimate user from their accounts and to effectively control the devices virtually. The passwords, while encrypted to certain degrees and hashed using md5 without salt, can easily be decrypted, the researchers said.
Another point of risk is the fact that a user’s schedules are also disclosed in the database, which allows ill-intent individuals to know the whereabouts and the plans of the victims — making it easier for them to be followed and stalked — putting the victims in harm’s way.
“One of the products Orvibo offers is a smart mirror. This includes technology to show the weather and display a schedule. Here, we have a log for the schedule the user has set with a customized name. ‘Winter week AM’ gives clear us precise information about the user’s calendar.”
Furthermore, a Smart Camera log included messages that are not encrypted, which can be read by whoever has a copy of the database. As these messages are usually between family members, they could reveal more personal information than those that are already in the database.
“A breach of this size has massive implications. Each device in Orvibo’s product catalog can have a different negative effect on its users. This is on top of having an abundance of identifying information about users. Much of the data can be pieced together both to disrupt a person’s home while possibly leading to further hacks,” the researchers say.
The discovery of the database underscores the risk of the rising technology of the “Internet of Things (IoT), the researchers said. As the industry is relatively young, there are a plethora of security risks and vulnerabilities to be patched to improve the security of the people using them, including their data.