[BreachExchange] Smart home maker leaks customer data, device passwords

Destry Winant destry at riskbasedsecurity.com
Tue Jul 2 10:04:43 EDT 2019


https://www.zdnet.com/article/smart-home-maker-leaks-customer-data-device-passwords/

A company that makes a smart home management platform is leaking data
about its customers and their device passwords via an ElasticSearch
server that it left exposed on the internet without a password.

The server belongs to Orvibo, a Chinese company based in the city of
Shenzen, which runs SmartMate, a platform for managing smart
appliances in a modern smart home.

The platform supports interconnecting and controlling various
Orvibo-made smart products, such as security cameras, smart
lightbulbs, thermostats, HVAC systems, home entertainment systems,
smart power plugs, smart window curtain systems, smart door locks, and
more.

SERVER LEAKING DATA FOR OVER TWO WEEKS

But the company appears to have misconfigured one of its backend
servers -- namely an ElasticSearch database where recent connection
logs would be aggregated -- which Orvibo left connected to the
Internet without a password.

The database was spotted in mid-June by the security team at
vpnMentor, led by security researchers Noam Rotem and Ran Locar, who
shared their findings with ZDNet last month and asked for help in
notifying the vendor.

Over the past two weeks, both vpnMentor and ZDNet have contacted the
Chinese company to let it know about its security snafu; however, at
the time of writing, Orvibo has failed to respond or take any action.

As the screenshot below shows, the leaky ElasticSearch server is still
freely accessible online, holding connection log data as recent as
July 1, 2019 (the date of this article's publication).

An associated Kibana installation running on the same server is also
available, without a password. Kibana is a web-based app for
navigating through an ElasticSearch server's data using a GUI instead
of the default text-based interface.

USER DATA AND DEVICE PASSWORD LEAKING

According to a vpnMentor report shared exclusively with ZDNet, in the
past two weeks, the database appears to have cycled through at least
two billion log entries, with each entry containing data about an
Orvibo SmartMate customer.

The data for each log entry varied depending on the operation it was
being logged, such as logins, password resets, device heartbeat
(regular check-in), logouts, and others.

Typical data that one can find in these logs included Orvibo
customers' email addresses, the IP addresses of the device checking
in, Orvibo usernames, and hashed passwords.

In some cases, there was also precise geolocation information, a
customer's family name, the device's name, and information about the
device's scheduled operations (such as turning lights on at specific
hours, or the home alert between specific intervals).

All the entries that ZDNet analyzed were in Chinese, but vpnMentor
researchers say they've also spotted log entries for users in Japan,
Thailand, the US, the UK, Mexico, France, Australia, and Brazil. Data
for customers in many other locations is most likely available,
although, we have not specifically looked for it to confirm.

But the most worrying fact is that the company is logging both
passwords and password reset codes.

"Orvibo does make some effort into concealing the passwords, which are
hashed using MD5 without salt," the vpnMentor team said.

However, saltless MD5 passwords are relatively easy to crack, which
means that anyone with access to this database could hijack SmartMate
accounts and possibly take control of a user's smart devices connected
to a user's SmartMate-controlled smart home.

Furthermore, even if the threat actor wouldn't be successful in
cracking the MD5 passwords, he can set up watch for new log entries
with password reset codes that are being added to the ElasticSearch
server, which he could also utilize to hijack Orvibo accounts.

"With this code accessible in the data, you could easily lock a user
out of their account, since you don't need access to their email to
reset the password," the vpnMentor team said.

"The code is available for those who want to reset either their email
address or password. This means a bad actor could permanently lock a
user out of their account by changing first the password and then the
email address."

Experts argue that access to people's smart home hub accounts would
allow them to spy on users, their schedule, or security video feeds.

Criminal groups could orchestrate robberies when homeowners are away,
or they could sabotage or play pranks on homeowners by spiking energy
usage by tampering with smart electric plugs, HVACs, or thermostats.

The scenarios for abuse are practically endless, and the Chinese
company needs to intervene as soon as possible to secure its server,
and indirectly, its customers' devices and private information.


More information about the BreachExchange mailing list