Noam Rotem and Ran Locar, security researcher at VPNMENTOR discovered a database leak in Chinese home solution company Orvibo. More than two billions of user’s logs containing information got exposed by this Breach.
About Company : – Orvibo is a Chinese company which sells smart solutions to manage energy and security systems, such as lighting systems, home entertainment devices and HVAC, in homes, offices and hotel rooms via a smart home cloud platform.
According to the company, Orvibo’s products are used by over a million of users in their homes and business. Their product contains Interaction center, Smart Lighting System, Home Security System, Smart Curtain System(R+T System), Smart HVAC System, Energy Management System, Home Entertainment System.
“The Chinese company, based in Shenzen, manufactures 100 different smart home or smart automation products.” – VPNMENTOR Reports says. Official Website, here.
About the security incident: – According to the VPNMENTOR report published this week, the database contains more than two millions of user logs information, these logs include username, password, email address, location data. Users from China, Japan, Thailand, the United States, the United Kingdom, Mexico, France, Australia and Brazil have been affected by this Major privacy breach.
The Database for the platform called SmartMate. SCMagazine report says the customer data was leaked by unprotected ElasticSearch cluster.
The report says “We discovered this breach as part of our web-mapping project. Our team of cybersecurity experts examines ports looking for known IP blocks. Using these blocks, Noam and Ran can search for vulnerabilities in a web system. When the team does discover leaked data, they use their technical understanding to confirm who the database belongs to. After finding a leak, we contact the owner of the database to alert them to the vulnerabilities in the system. When possible, we will also contact those affected by the data breach. Our goal with this project is to promote a safe and secure internet for all users.”
Database Logs included following information: –
Email addresses , Passwords , Account reset codes , Precise geo-location , IP address , Username , User ID , Family name , Family ID , Smart device , Device that accessed account , Scheduling information
As per report the database logs were created with Chinese and English language. Researchers say there is an inconsistency in Orvibo’s software. “Most of the logs were created entirely in English, which includes place names, as an example. However, we also found that several records had countries and cities recorded in Chinese, rather than English. There didn’t appear to be any consistency as to when Chinese was used versus English.”
VPNMENTOR Researchers say the database is still unsecured and unprotected, and the amount of data included in the archive continues to increase day by day.
Researchers says as the database include specific geo location data, family name, username, password, and the reset code, there is change of account takeover attack on users, All these data’s are enough to allow account takeover. Even someone can lock a user account, as the database content rest code, so someone don’t need to access users email account to reset the password.
“The code is available for those who want to reset either their email address or password. This means a bad actor could permanently lock a user out of their account by changing first the password and then the email address. Orvibo does make some effort into concealing the passwords, which are hashed using md5 without salt.” – The VPNMENTOR report says.
VPNMENTOR contracted Orvibo on June 16, 2019, via email, but didn’t receive any response from Orvibo. On July 2, 2019 the database has been closed by Orvibo.
Impact of this Security Incident: –
- Bad guys can use this hacked data to target someone’s home.
- Orvibo does hash to its password, but according to the researchers it is easy to crack this password, as Orvibo does not add salt to their hashed password. That mean someone can easy break the hash to get someone’s password.
- As the database contains account reset codes, so it would be easy for a bad actor to lock someone’s account.
- Someone’s account can be takeover with these leaked breached data by bad actors.