“Smart” security cameras and door locks are great for protecting your home, but they may not all they’re cracked up to be when it comes to protecting your privacy. A pair of “hacktivist” security researchers recently announced the user database associated with Chinese company Orvibo has been exposed to the internet without any password to protect it and, furthermore, that the database left wide open included more than 2 billion logs containing user passwords, account reset codes, and conversations recorded by smart cameras and other security devices.
Devices Affected by the Breach
Orvibo is the operating management platform for Internet of Things (IoT) devices commonly used in smart homes. Orvibo says it has more than 1 million users with multiple devices in their smart homes as well as a presence in hotels and businesses worldwide. The hacktivists found logs for users in China, Japan, Thailand, Mexico, France, Australia, Brazil, the United Kingdom, and the United States. Those logs included, most dangerously, the team said, reset codes that would enable a malicious hacker to reset passwords on email addresses in a manner that would be largely irreversible. Once a hacker had locked out the real user, they could use that email to access bank information and financial resources.
“With the information that has leaked, it is clear there is nothing secure about these devices,” wrote the team. “Even having one of these devices installed could undermine, rather than enhance, your physical security.” Because many of the logs and records contained precise information about users’ geographic location, the leak is a threat to users’ physical security as well as their privacy. Orvibo has been selling products since 2011, and the flawed database contained records dating back from that time.
No Urgency from the Company
According to the report, it is not clear whether other hackers were aware of Orvibo’s vulnerability. However, the company was alerted to the issue on June 16, 2019, but left the databases open through the first week of July 2019. ZDNet reported that as of July 3, 2019, “Orvibo has secured the elastisearch cluster that leaked customer data.” Until that point in time, the server was freely accessible online.
Cybersecurity experts recommended anyone using an affected device change their smart-device passwords to “something long and complex” as well as changing any other accounts where they might have used the same or similar passwords. Jake Moore, a cybersecurity specialist, told Forbes.com, customers “may as well pull the plug on the device until it is fixed.”
Tell us what you think:
- Are smart devices worth the risk?
- Do you use Orvibo devices in your home or in rental properties?
- How do you think this issue should be handled?
Thank you for reading the Bryan Ellis Investing Letter!
Your comments and questions are welcomed below.