Unprotected Elasticsearch database exposes 2 billion user records from smart home devices

Security researchers, Noam Rotem and Ran Locar, from vpnMentor recently revealed in their report, that a Shenzhen-based Chinese IoT management platform company, Orvibo exposed its user database online without any password protection.

The Elasticsearch database, which contains user data collected from smart home devices, includes ‘2 billion logs’ containing everything from user passwords to account reset codes and also a “smart” camera recorded conversations.

Sample of Orvibo leaked data

The data leaked included email addresses, passwords, precise geolocation, IP address, username, userID, family name and ID, smart device, device that accessed account, scheduling information, and account reset codes. Out of these, the password and password reset codes that are being logged create additional problems. Even though these had not been encrypted, they had been hashed using MD5. “Unfortunately, the MD5 algorithm used to hash these passwords isn’t considered particularly secure as it has been found to contain a whole bunch of vulnerabilities”.

“Orvibo does make some effort into concealing the passwords, which are hashed using MD5 without salt,” the vpnMentor team said.

However, saltless MD5 passwords are relatively easy to crack, which means that anyone with access to this database could hijack SmartMate accounts and possibly take control of a user’s smart devices connected to a user’s SmartMate-controlled smart home.

The researchers said the reset codes were the most dangerous pieces of information found in the database. “These would be sent to a user to reset either their password or their email address,” the report explains, continuing “with that information readily accessible, a hacker could lock a user out of their account without needing their password. Changing both a password and an email address could make the action irreversible.”

According to ZDNet, “The database was spotted in mid-June by the security team at vpnMentor, led by security researchers Noam Rotem and Ran Locar, who shared their findings with ZDNet last month and asked for help in notifying the vendor.”

Since then, both vpnMentor and ZDNet have contacted the Chinese company to let it know about its security issue; however, at the time of writing, Orvibo has failed to respond or take any action.

Forbes mentions, “The Orvibo website boasts of a secure cloud providing a “reliable smart home cloud platform,” and goes on to mention how it “supports millions of IoT devices and guarantees the data safety.”

Geoff Tudor, general manager of Vizion. ai, told Forbes that Elasticsearch breaches are becoming almost everyday occurrences. “When first installed, Elasticsearch’s API is completely open without any password protection,” Tudor says, adding “all a hacker needs to do is to hit a URL with http://[serverIP]:9200 and a user can see if an Elasticsearch is operational. Then it takes a single command to search through the data stored in it…

Orvibo which claims to have  a lot of users, including private individuals with smart home systems but also hotels and other business customers. The vpnMentor report states that it found logs for users in China, Japan, Thailand, Mexico, France, Australia, Brazil, the United Kingdom, and the U.S.

The report states, “With the information that has leaked. It’s clear that there is nothing secure about these devices. Even having one of these devices installed could undermine, rather than enhance, your physical security.”

How can users secure their data and be safe?

Jake Moore, a cybersecurity specialist at ESET said, “Criminal groups may have been aware of this vulnerability but it is unknown if anyone has taken advantage of this flaw yet. I’d hope it would be patched quite quickly now it is out.”

Moore further advises, “The best thing now for people affected is to make sure their smart device passwords are changed immediately to something long and complex along with other accounts where the same password may be reused,” He further pointed out, “they may as well pull the plug on the device until it is fixed.”

Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, can go a step further than changing their passwords and “file a legal complaint and deactivate any remote management of their homes if it is doable.”

Yesterday, Orvibo responded by saying that they had secured the database. They said, “Once we received this report on July 2nd, ORVIBO’s RD team took immediate actions to resolve security vulnerability”.

The company said they have  taken the following solutions to resolve the issue:

  1. Resolved security vulnerability.
  2. Upgraded encryption mechanism of password.
  3. Upgrade the protection on users account and password resetting.
  4. Strengthening cooperation with professional cyber security companies to improve our system security.

To know more about this news, read the complete vpnmentor report.

Read Next

NSA warns users of BlueKeep vulnerability; urges them to update their Windows systems

Google researcher reveals an unpatched bug in Windows’ cryptographic library that can quickly “take down a windows fleet”

How not to get hacked by state-sponsored actors

*** This is a Security Bloggers Network syndicated blog from Security News – Packt Hub authored by Savia Lobo. Read the original post at: