17/Jul/2019
A team of “hacktivist” security researchers has disclosed one of the biggest vulnerabilities within online databases to date. Noam Rotem and Ran Locar from vpnMentor, found that a user database belonging to China’s Orvibo had been left exposed to the Internet without any password to protect it. The database includes more than 2 billion logs containing everything from user passwords to account reset codes and even a “smart” camera recorded conversation.
About Orvibo
Based in Shenzhen, Orvibo operates a smart home device management platform. The company’s website boasts of a secure cloud providing a “reliable smart home cloud platform,” goes mentions how it “supports millions of IoT devices and guarantees the data safety.”
According to the vpnMentor report the list of data included in the breach is extensive and includes:
- Email addresses
- Passwords
- Account reset codes
- Precise geolocation
- IP address
- Username
- UserID
- Family name
- Family ID
- Smart device
- Device that accessed account
- Scheduling information
Of these, the most problematical are the password and password reset codes that are being logged. Even though these had not been encrypted, they had been “hashed”. Unlike encryption, which is a two-way function, hashing is a one-way thing that isn’t reversible.
Hashing turns a plaintext password into a unique hexadecimal string. Unfortunately, the MD5 algorithm used to hash these passwords isn’t considered particularly secure because it has been found to contain vulnerabilities. In the Orvibo incident the passwords and reset codes were hashed but not “salted”. Adding a unique value, or salt, to the end of every password before hashing produces a different hash value. This additional security layer is vital to protect against an attack that tries every known alphanumeric combination until the password is revealed.
What could attackers do with this data?
Orvibo claims to have more than a million users, including private individuals with smart home systems, hotels and other business customers. Orvibo manufactures around 100 different smart home or smart automation devices. The vpnMentor report states that it found logs for users in China, Japan, Thailand, Mexico, France, Australia, Brazil, the United Kingdom and the U.S.
According to the researchers, the reset codes were the most dangerous pieces of information found in the database. “These would be sent to a user to reset either their password or their email address,” the report explains, adding “with that information readily accessible, a hacker could lock a user out of their account without needing their password. Changing both a password and an email address could make the action irreversible.
“With the information that has leaked,” the report says, “it’s clear that there is nothing secure about (Orvibo manufactured security) devices. Even having one of these devices installed could undermine, rather than enhance, your physical security.”
Securing smart device data
“Criminal groups may have been aware of this vulnerability but it is unknown if anyone has taken advantage of this flaw yet,” says Jake Moore, a cybersecurity specialist at ESET who adds, “I’d hope it would be patched quite quickly now it is out.”
“The best thing now for people affected is to make sure their smart device passwords are changed immediately to something long and complex along with other accounts where the same password may be reused,” Moore advises. However, he also points out that if cyber-criminal gangs are already in and watching their every move before a patch is installed, “they may as well pull the plug on the device until it is fixed.”
Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, concludes that beyond the obvious password changing, users of Orvibo devices have little recourse “but to file a legal complaint and deactivate any remote management of their homes if it is doable.”
An Orvibo spokesperson provided the following comment:
“Once we received this report on July 2, Orvibo’s RD team took immediate actions to resolve security vulnerability and informed the reporter. Orvibo attaches great importance to user data security and keeps improving information security systems.”
The Orvibo database in question has been closed as of July 2.
