vpnMentor’s research team found a leak in Orvibo’s user database.
As long as the database remains open, the amount of data available continues to increase each day.
Orvibo claims to have around a million users.
These include private individuals whoconnected their homes, as well ashotels and other businesseswith Orvibo smart home devices.
This constitutes amassive breach of privacy and securitywith far-reaching implications.
We expect that there are more users represented in the 2 billion plus logs.
We first contact Orvibo via email on June 16.
They still have not responded, nor has the breach been closed.
Update:The Orvibo database has been closed as ofJuly 2.
Examples of Entries in the Database
The amount of data available from Orvibo’s servers is enormous.
It’s alsohighly specific, which shows just how much data smart home devices can collect about their users.
According to the company, there areover a million userswho have installed Orvibo products in their homes and businesses.
The Chinese company, based in Shenzen, manufactures100 different smart home or smart automation products.
In the first, we only have theemail address, IP address, and a reset code.
The code is available for those who want to reset either their email address or password.
Orvibo does make some effort intoconcealing the passwords, which arehashed using md5 without salt.
The above example is a small sample of the kind of geolocation data we have.
Orvibokeeps logs of precise longitude and latitude coordinates(spelled latotide in the data).
The precision of the coordinates can lead us to a user’s exact address.
This amount of data shows justhow vulnerable a user can be should a hacker take advantage of this breach.
One of the products Orvibo offers is asmart mirror.
This includes technology to show the weather and display a schedule.
Here,we have a log for the schedule the user has set with a customized name.
“Winter week AM” gives clear us precise information about the user’s calendar.
This is a data log that includes alarge number of devices connected to a single account.
We can see a clear record of the user having one ofOrvibo’s smart camera.
Another machine is named “massage room.”
The massage room label also points towards this data likely belonging to a business.
AnotherSmart Camera log included a message that was recorded word for word.
That opens the possibility of a user revealing even more personal information through their account.
It’s important to note that not every single data log included every punch in of personal information.
We found several inconsistencies within Orvibo’s software itself.
Most of the logs were created entirely in English, which includes place names, as an example.
However, we also found that several records had countries and cities recorded in Chinese, rather than English.
There didn’t appear to be any consistency as to when Chinese was used versus English.
Data Breach Impact
A breach of this size has massive implications.
Each gear in Orvibo’s product catalog can have a different negative effect on its users.
This is on top of having an abundance of identifying information about users.
Much ofthe data can be pieced together both to disrupt a person’s homewhile possibly leading to further hacks.
Though our chosen password was hashed, it was easy to crack.
Salt works by adding a random string onto an existing password, which is then hashed.
Even with strong passwords, however, Orvibo’s database includeda dangerous piece of information.
When examining their records, we foundaccount reset codesin the data logs.
These would be sent to a user to reset either their password or their email address.
With that information readily accessible, a hacker couldlock a user out of their account without needing their password.
Changing both a password and an email address could make the action irreversible.
Orvibo offers a wide range of solutions for connecting your home.
For plenty of people, this could be a dangerous situation.
Many smart homes use connected sockets like these to save energy on appliances they aren’t using.
The situation is similar for smart light switches.
Even turning these appliances off and on quickly can damage their electrical circuits and break their engines.
Orvibo isn’t just targeting individual homes, however.
They also have distinct profiles for offices and hotels.
Changing the electricity controls in an office building or a hotel will have a much more significant effect.
However, there areother devices whose poor security could have more severe consequences.
A number of the devices offered by Orvibo fall under the umbrella of “home security.
“They include smart locks, home security cameras, and full smart home kits.
With the information that has leaked, it’s clear thatthere is nothing secureabout these devices.
Even having one of these devices installed could undermine, rather than enhance, your physical security.
The data that Orvibo’s devices are leaking goes even beyond the smart locks and security cameras.
Two other devices that Orvibo manufactures fall under the umbrella of Home Entertainment.
One unit is the Magic Cube Wifi Controller; another is the ZigBee controller.
Anyone could find themselves on the line fornoise disturbances, even if they werent aware of the hack.
The impact changes and grows, however, when the victim is a business.
This isan increasing problemwhen it comes to what is calledThe Internet of Things.
This refers to all of the smart devices that communicate with one another via an internet connection.
The Internet of Things doesn’t just pose a security risk.
Using these blocks, Noam and Ran can search forvulnerabilitiesin a web system.
When possible, we will also contact those affected by the data breach.
Our goal with this project is topromote a safe and secure internet for all users.
About Us and Previous Reports
vpnMentoris the worlds largest VPN review website.
We recently discovered a hugedata breach impacting 78 thousand patients taking Vascepa.
Pleaseshare this report on Facebookortweet it.
like, comment on how to improve this article.
