A Chinese IoT Company Exposes More Than 2 Billion Records in an Insecure Database

Several months ago, VPN review website vpnMentor gathered together a group of security researchers and organized a web-mapping project. The team is headed by Noam Rotem and Ran Locar, and their task is to scan blocks of IP addresses, look for data that's been exposed, and get in touch with the people responsible for it in order to resolve the issue. Unfortunately, it's fair to say that Rotem and Locar have been rather busy lately.

In March, for example, they found an unsecured MongoDB database that held personal information of over 5 million users of a caller ID mobile application. More recently, they discovered 264GB worth of data exposed by a Fortune 500 company in an Elasticsearch server that wasn't protected by a password. They have unearthed a few other data leaks, but the one they reported on July 1 could very well be the biggest one to date.

Orvibo leaks over 2 billion records

Once again, the leaked data was put on an Elasticsearch server that wasn't protected by any sort of password, but according to Forbes, this time, there was also a Kibana web-based application which made searching through the information quite a bit easier.

A quick investigation revealed that the server belonged to Orvibo – a Chinese IoT company that sells everything from automated curtain drawers through light bulbs controlled by mobile applications to smart locks. After examining the server, the experts realized that Orvibo's devices tend to gather quite a lot of information about their owners. There were over 2 billion records containing anything from IP and email addresses, usernames, and scheduling information to passwords, account reset codes, and precise geolocation coordinates.

It must be said that there's no correlation between the number of leaked records and the number of affected users, and the latter remains unknown for now. The data Rotem and Locar found belonged to individuals living all around the world, however, which, coupled with the fact that Orvibo boasts about having over a million customers, goes to show that the details of quite a few people were exposed. Despite this, the Chinese IoT company was in no particular hurry to shut down the database and secure users' information.

Orvibo took its time securing the leaked data

As we mentioned already, the goal of vpnMentor's web-mapping project is not only to find data that's been wrongfully exposed, but also to help the owners of the said data set the record straight. Sure enough, on June 16, immediately after realizing that the unsecured Elasticsearch installation belongs to Orvibo, Noam Rotem and Ran Locar tried to get in touch with the Chinese vendor. For the next two weeks, the researchers continuously emailed and tweeted the Chinese company, but unfortunately, all their attempts to get in touch reached a dead end.

On July 1, the researchers announced their findings publicly, and within 24 hours, the server was secured. It would appear that Orvibo is concerned about its customers' security only when its PR image is put at risk, which is really rather worrying considering the potential impact of the IoT data leak it caused.

The Orvibo leak was a disaster waiting to happen

The exposed data enabled a range of possible attack scenarios that is as wide as the range of devices Orvibo sells. The possibilities for jokesters, in particular, were more or less endless. Using the compromised data, they could log in to innocent users' accounts, turn the lights on and off, draw people's window curtains, turn on their TV in the middle of the night with the volume set at full blast, and a host of other relatively harmless pranks.

More motivated attackers could have done a lot more damage, though. As Rotem and Locar pointed out in their report, government intelligence agencies interested in a particular individual can get quite a lot of information from a database such as the one Orvibo exposed.

The IoT company's password storage practices could have also caused quite a lot of physical discomfort for some of its users. The fact that users' login credentials were put in an unprotected database wasn't the biggest issue. The biggest issue was that Orvibo had failed to follow some pretty basic security practices.

Users' passwords were hashed with MD5 which, as we mentioned not more than two weeks ago, is woefully outdated and not terribly secure at all. Worse still, the data wasn't protected with cryptographic salts which made reversing the hash even easier. With the recovered password, there was little to stop the attackers from taking full control over the victim's IoT gadget.

Recovering the password wasn't even necessary in many cases, though. The leaked database contained account reset codes which meant that hackers could reset an account's password without having access to the user's email. They could then change the email address associated with the account and leave the owner completely unable to access the device's control panel. Orvibo's own website brags about how its products (among which you have smart locks) are perfect for hotels which means that the number of people that could have been put in a very precarious situation is huge.

Homeowners using the Chinese company's locks were also put at risk. The easy account access coupled with the precise geolocation data Orvibo was exposing meant that burglars could break into people's houses with the help of a browser and a computer mouse instead of more traditional tools like crowbars and lock picks.

Orvibo is the next in a very long line of software and hardware vendors that have made what has undoubtedly become the most common configuration mistake. The potential consequences in this particular case were quite severe, yet the handling of the issue was not exactly perfect. The people running Orvibo might not realize it yet, but their inability to resolve the problem in a timely manner could land a massive blow to the PR image they're trying to defend so furiously.