Navigation

Tracking The Internet of Things

Tracking the Internet of Things for the Australian IT community

Navigation

You are here: Home / IoT News Global / Smart home device maker’s massive security fail revealed

Smart home device maker’s massive security fail revealed

Stuart Corner

Security fail

Image © Kevin Jarrett used under CC by 2.0 licence

VPN review site, vpnMentor has discovered that China-based smart home IoT device manufacturer Orvibo had an openly accessible database containing detailed information on over one million customers.

In a blog post  vpnMentor said the database includes over two billion logs that “record everything from usernames, email addresses, and passwords, to precise locations” from users around the world and “constitutes a massive breach of privacy and security with far-reaching implications.”

It  found logs for users in China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil, and listed the data available as:

  • Email addresses
  • Passwords
  • Account reset codes
  • Precise geolocation
  • IP address
  • Username
  • UserID
  • Family name
  • Family ID
  • Smart device
  • Device that accessed account
  • Scheduling information

Although not every data log included every type of personal information, vpnMentor said, “even with over two billion records to search through, there was enough information to put together several threads and create a full picture of a user’s identity.”

Also, it said the data would enable devices to be compromised to disrupt a person’s home and possibly enable further hacks.

“Though Orvibo does hash its passwords, we tested the security ourselves to see how easy it was to discover the real password. In some cases, we uncovered our own password, but in others, we couldn’t break the hash.

“In order to test this, we created our own account, then searched for our email address to see what account information was accessible. Though our chosen password was hashed, it was easy to crack.”

Personal security at risk

Furthermore, vpnMentor said: “There’s enough information leaked from the database that it makes taking over a user’s account a simple enough task. A malicious actor could easily access the video feed from one of Orvibo’s smart cameras by entering into another user’s account with the credentials found in the database.

“At the same time, it would be easy to unlock a door from the same account. With precise geolocation, this simplifies home break-ins, an event smart homes are supposed to help protect against.”

vpnMentor contacted Orvibo initially on 16 June but received no response. After several attempts using various channels Orvibo shutdown the database on 2 July, but had not responded directly to vpnMentor.

Orvibo manufacturers more than 100 smart home devices. According toits website: “With strength on IoT, AI and cloud computing technologies, Orvibo provides more secure, energy-saving & comfortable smart home solutions for customers worldwide.”

Orvibo’s Aus website fail

Orvibo has an office in Australia, in Strathfield NSW and an Australian website. However the site is of little help to anyone wanting to buy an Orvibo product. It does not list any resellers and although it shows images of numerous Orvibo smart home products with the legend “learn more” none of these contained an active link.

 

About Stuart Corner

I’ve been a journalist working in IT and telecommunications for 30 years. You can read more about me via the 'about' page of this web site.