ORVIBO, a Chinese manufacturer of smart home devices, left an unprotected Elasticsearch database accessible online through a web interface with no authentication. The database contained more than 2 billion user records representing more than a million users of ORVIBO smart home devices worldwide.
The database was secured after being accessible for 2 weeks. This vulnerability was discovered by a research team working for vpnMentor. Researchers claim that the manufacturer did not respond to warnings since mid-June.
The ORVIBO database contained critical user data:
- Email addresses and passwords hashed using MD5 with no salt: This weak hashing algorithm makes it possible for an attacker to easily find user passwords.
- Account reset codes: These codes make it possible for a malicious party to change the owner’s login data, taking over the device and locking the owner out of it. This could lead to major privacy breaches, for example in the case of smart home cameras.
- Geolocation data, IP addresses, family names: This information would be precious for a burglar who would be able to, for example, hijack the security camera and turn off the power using a smart switch.
According to additional information from ZDNet, the database was published using the default Elasticsearch HTML interface (port 9200) so it was trivial to find. Note that the Acunetix web vulnerability scanner checks for the availability of Elasticsearch services since 2014 so this vulnerability could have been easily found by the manufacturer.
On July the 3rd, ORVIBO published confirmation and an apology on Twitter. The manufacturer stated that the vulnerability was eliminated as soon as it was reported. This is inconsistent with the stance of vpnMentor who claim that they tried contacting ORVIBO privately since June the 16th and even tweeted the company before publishing full disclosure. ZDNet also states that their journalists have been trying to contact the manufacturer for two weeks to no avail. At the time of writing, ORVIBO did not notify the affected users directly and did not publish any information on how they are going to prevent the leaked data from affecting their customers.