Smart Home Device Provider Leaks Customer Information

Smart home management platform running on the ElasticSearch server has been leaking private data for billions of users. The publicly accessible server is owned by Orvibo, a Chinese smart home provider.

Obvibo offers its customers a platform, called SmartMate, for managing smart devices in their homes. They sell devices like security cameras, smart window curtain systems, smart lightbulbs, smart door locks, thermostats, HVAC systems, and smart power plugs. Obvibo users are located across the world including the US, Mexico, France, the UK, China, Brazil, Japan, Thailand, and Australia.

Further, the according to Obvibo’s website the company ‘guarantees the data safety’ of its customers. Further, they also claim to be ‘reliable’, however, security researchers at vpnMentor found otherwise. vpnMentor’s research teams first discovered that the ElasticSearch database was leaking private customer information mid-June. This customer data includes over 2 billion logs for usernames, passwords, email addresses, exact geolocation, account reset codes, scheduling information, recorded conversations, and more.

Access to email address, passwords, and account reset codes can give attackers complete control of users; smart devices. Additionally, access to smart door locks, geolocation, and daily schedule information raises risk of home thefts and more serious crimes.

At this time, the database is still open and is leaking information. vpnMentor’s research team has stated:

“as long as the database remains open, the amount of data available continues to increase each day”

The information stored in the database is hashed, but is left unsalted. Without salting hashed passwords, malicious actors can easily crack passwords. Salting creates a more complex string of characters making it more difficult to crack. Further, the database is hashed with MD5, this algorithm is no longer recommended because it can produce the same hash for different inputs; making it easy to crack. Further, anyone can go to google, search MD5 hash decrypt and input the hash value.

Further, the ElasticSearch servers are also vulnerable to attack and breaches are becoming a common occurrence. When ElasticSearch is first installed, the API is open and unprotected with passwords. However, ElasticSearch developer’s have begun offering free security features. They also encourage administrators to secure servers by encrypting all communications, using IP filters, and configuring passwords properly. Developers have stated on the free security features:

“This means that users can now encrypt network traffic, create and manage users, define roles that protect index and cluster level access, and fully secure Kibana with Spaces”

Since the discovery of the leak, both vpnMentor and ZDNet have contacted Orvibo. However, neither received any response from the company.

 

Contact LIFARS for security advisory solutions