Report: Orvibo Smart Home Devices Leak Billions of User Records
vpnMentor's research team found a leak in Orvibo's user database.
Our expert cybersecurity research team, led by Noam Rotem and Ran Locar, discovered an open database linked to Orvibo Smart Home products. The database includes over 2 billion logs that record everything from usernames, email addresses, and passwords, to precise locations. As long as the database remains open, the amount of data available continues to increase each day.
Orvibo claims to have around a million users. These include private individuals who connected their homes, as well as hotels and other businesses with Orvibo smart home devices.
This constitutes a massive breach of privacy and security with far-reaching implications. The data breach affects users from around the world. We found logs for users in China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil. We expect that there are more users represented in the 2 billion plus logs.
We first contact Orvibo via email on June 16. When we didn’t receive a response after several days, we also tweeted the company to alert them to the breach. They still have not responded, nor has the breach been closed.
Update: The Orvibo database has been closed as of July 2.
Examples of Entries in the Database
The amount of data available from Orvibo's servers is enormous. It's also highly specific, which shows just how much data smart home devices can collect about their users. According to the company, there are over a million users who have installed Orvibo products in their homes and businesses.
The Chinese company, based in Shenzen, manufactures 100 different smart home or smart automation products.
Data Included in the Breach
- Email addresses
- Account reset codes
- Precise geolocation
- IP address
- Family name
- Family ID
- Smart device
- Device that accessed account
- Scheduling information
In this first example, we can see that Orvibo is collecting a large amount of data about its users. In this case, not all of the data points are recorded; however, we have other examples that include very specific geo-data, chosen family names, usernames, passwords, and the reset codes that would allow for account takeover.
These data logs are for the same account, which we can verify with the matching email address and user ID number. In the first, we only have the email address, IP address, and a reset code. With this code accessible in the data, you could easily lock a user out of their account, since you don't need access to their email to reset the password.
The code is available for those who want to reset either their email address or password. This means a bad actor could permanently lock a user out of their account by changing first the password and then the email address. Orvibo does make some effort into concealing the passwords, which are hashed using md5 without salt.
The above example is a small sample of the kind of geolocation data we have. Orvibo keeps logs of precise longitude and latitude coordinates (spelled latotide in the data). The precision of the coordinates can lead us to a user's exact address. This also demonstrates that their products track location in their own right, rather than determining location based on an IP address.
In this entry from a user in Mexico, it shows exactly which device the user was connected to when the data was logged. According to the Orvibo website, HomeMate is a full smart home system that employs a full range of their products to connect your entire home. This amount of data shows just how vulnerable a user can be should a hacker take advantage of this breach.
One of the products Orvibo offers is a smart mirror. This includes technology to show the weather and display a schedule. Here, we have a log for the schedule the user has set with a customized name. "Winter week AM" gives clear us precise information about the user's calendar.
This is a data log that includes a large number of devices connected to a single account. We can see a clear record of the user having one of Orvibo's smart camera. Another device is named "massage room." Though not all of the device names tell us which device is where, it could help someone pinpoint a device hack if they wanted to do so.
The “massage room” label also points towards this data likely belonging to a business.
Another Smart Camera log included a message that was recorded word for word. That opens the possibility of a user revealing even more personal information through their account.
It's important to note that not every single data log included every type of personal information. However, even with over 2 billion records to search through, there was enough information to put together several threads and create a full picture of a user's identity.
We found several inconsistencies within Orvibo's software itself. Most of the logs were created entirely in English, which includes place names, as an example. However, we also found that several records had countries and cities recorded in Chinese, rather than English. There didn't appear to be any consistency as to when Chinese was used versus English.
Data Breach Impact
A breach of this size has massive implications. Each device in Orvibo's product catalog can have a different negative effect on its users. This is on top of having an abundance of identifying information about users. Much of the data can be pieced together both to disrupt a person's home while possibly leading to further hacks.
Though Orvibo does hash its passwords, we tested the security ourselves to see how easy it was to discover the real password. In some cases, we uncovered our own password, but in others, we couldn't break the hash. In order to test this, we created our own account, then searched for our email address to see what account information was accessible. Though our chosen password was hashed, it was easy to crack.
If Orvibo had added salt to their hashed passwords, it would have created a more complex string that is far more difficult to crack. Salt works by adding a random string onto an existing password, which is then hashed. Since the salt is unknown, it becomes very difficult to determine which piece of the password is genuine and which piece was the added string.
This especially highlights why it's so important to choose strong passwords, especially when they're connected to devices with uncertain levels of security.
Even with strong passwords, however, Orvibo's database included a dangerous piece of information. When examining their records, we found account reset codes in the data logs. These would be sent to a user to reset either their password or their email address. With that information readily accessible, a hacker could lock a user out of their account without needing their password. Changing both a password and an email address could make the action irreversible.
Orvibo offers a wide range of solutions for connecting your home. They do not include smart appliances in their line ups, yet, but there's still a lot of damage that can be done via the products they do have on the market.
Even a smart socket, for example, can be hacked to change the level of a user's energy consumption without their knowledge. Another scenario involves cutting power via smart plugs, which could potentially plunge a user into darkness at a time when they needed good lighting. For plenty of people, this could be a dangerous situation. If it occurred at a place of business, on the other hand, such an event would also likely lead to lost revenue.
Many smart homes use connected sockets like these to save energy on appliances they aren't using. If someone were to change the settings of a socket without the user's knowledge, it could lead to a situation where a major appliance, such as an oven, would turn on and heat up unattended.
The situation is similar for smart light switches. While having lights left on unnecessarily might not be a disaster, it could increase energy consumption in a subtle, but impactful way. Because the change wouldn't be drastic, it could also make it more challenging to catch. For a more drastic change, one could take over the HVAC system, which consumes significantly more energy than lights or motorized curtains. Even turning these appliances off and on quickly can damage their electrical circuits and break their engines.
Orvibo isn't just targeting individual homes, however. They also have distinct profiles for offices and hotels. Changing the electricity settings in an office building or a hotel will have a much more significant effect. This could quickly eat into a smaller company's profits while making it difficult to figure out why their costs are so high.
However, there are other devices whose poor security could have more severe consequences. A number of the devices offered by Orvibo fall under the umbrella of "home security." They include smart locks, home security cameras, and full smart home kits. With the information that has leaked, it's clear that there is nothing secure about these devices. Even having one of these devices installed could undermine, rather than enhance, your physical security.
There's enough information leaked from the database that it makes taking over a user's account a simple enough task. A malicious actor could easily access the video feed from one of Orvibo's smart cameras by entering into another user's account with the credentials found in the database. At the same time, it would be easy to unlock a door from the same account. With precise geolocation, this simplifies home break-ins, an event smart homes are supposed to help protect against.
The data that Orvibo's devices are leaking goes even beyond the smart locks and security cameras. One of their other devices is a smart mirror, which includes built-in weather displays as well as a calendar. As we saw in the data above, some users had very detailed information about their schedules recorded through the smart mirror. Should someone want to follow a user outside of their home, they could find the information they need to do so by combing the scheduling data in the database. We can view the schedule name as well as time records, which include the week, day, and time, down to the second.
Two other devices that Orvibo manufactures fall under the umbrella of Home Entertainment. One device is the Magic Cube Wifi Controller; another is the ZigBee controller. At its most basic level, a hacker could take control of these devices to ruin a users TV or movie experience. However, with easy control of the TV, a hacker could turn it on and raise the volume at an inconvenient time. Anyone could find themselves on the line for noise disturbances, even if they weren’t aware of the hack. The impact changes and grows, however, when the victim is a business.
Hackers could easily take the whole network offline with a fully connected set of these smart home items. This would result in a direct loss of revenue coupled with a loss of customer trust. When an entire building or dwelling relies on connected technology for security, an outage can stop the whole operation.
This is an increasing problem when it comes to what is called The Internet of Things. This refers to all of the smart devices that communicate with one another via an internet connection. As an industry that's still relatively young, however, there are a lot of security issues that need to be addressed by manufacturers while they still can.
The Internet of Things doesn't just pose a security risk. While anyone's virtual accounts can be threatened by a data leak that links their email, passwords, and location, it also undermines their privacy. Many users may not be as concerned about government surveillance, but for those who are, databases like Orvibo's can paint a detailed picture of a user's life.
Advice from the Experts
There are several security measures that Orvibo could have taken that would have helped prevent this breach. Below, you can find a few essential tips that can help you prevent or patch a vulnerable database.
- Secure your servers.
- Implement proper access rules.
- Never leave a system that doesn’t require authentication open to the internet.
For a more in-depth guide on how to protect your business, check out how to secure your website and online database from hackers.
How We Discovered the Breach
We discovered this breach as part of our web-mapping project. Our team of cybersecurity experts examines ports looking for known IP blocks. Using these blocks, Noam and Ran can search for vulnerabilities in a web system. When the team does discover leaked data, they use their technical understanding to confirm who the database belongs to.
After finding a leak, we contact the owner of the database to alert them to the vulnerabilities in the system. When possible, we will also contact those affected by the data breach. Our goal with this project is to promote a safe and secure internet for all users.
About Us and Previous Reports
vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.
We recently discovered a huge data breach impacting 78 thousand patients taking Vascepa. We also revealed that xSocialMedia suffered a widespread data breach. You may also want to read our VPN Leak Report and Data Privacy Stats Report.