IoT vendor Orvibo gives away treasure trove of user and device data
Two billion items of log data from devices sold by China-based smart IoT device manufacturer Orvibo was found by researchers at web privacy review service vpnMentor, who discovered the data in an exposed ElasticSearch server online.
Orvibo has been selling products for smart homes, businesses, and hotels since 2011, ranging from HVAC systems through to home security, energy management, and entertainment systems. The back-end database appears to have been logging system events from lots of them.
Researchers Noam Rotem and Ran Locar found logs from Orvibo devices in China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil, vpnMentor said in its report.
This data provides insights into the lives of Orvibo’s customers, creating potential security risks, it warned.
With over 2 billion records to search through, there was enough information to put together several threads and create a full picture of a user’s identity.
The logs discovered by the vpnMentor team contained various pieces of personal information, including email addresses, usernames, user IDs, and passwords. Orvibo’s developers had used the notoriously insecure MD5 hashing mechanism to protect the passwords. It had also failed to use a salt, which is a random string combined with the password that makes hashed passwords far more difficult to recover.
The log data also included codes required for users to reset their accounts. The company said:
With this code accessible in the data, you could easily lock a user out of their account, since you don’t need access to their email to reset the password.
The code enables people to reset their email addresses too, meaning that an attacker could deny a user any chance of regaining their passwords.