Having an Internet of Things (IoT) device in your home is the norm now. We have smart thermostats, smart speakers, smart TVs, and even smart cooking appliances. And for some of these things, a password may not be necessary. After all, if someone changes the temperature on your crockpot and your food is ruined, well then, you can just go out to dinner. What is more bothersome, is that someone was poking around in your home internet. And, if your smart device is a security camera or perhaps door locks, then having passwords and even two factor authentication is really mandatory. Apparently, the company Orvibo thinks otherwise. A server that belongs to that company and contains billions of customer records was left exposed to the Internet without so much as a password.
Though Orvibo is a Chinese company, if you think it only involves Chinese customers, you would be wrong. The data includes email addresses, passwords, account reset codes, usernames, user IDs, smart device name, geolocations, scheduling information, and more for around 2 billion customers all around the globe, including in the U.S.
Orvibo runs an IoT management platform that connects their smart home devices. They apparently brag about providing a secure platform. Researchers have reached out to the company about this major gaff with no response. More than a month after it was reported to them, they still have not put on passwords or otherwise protected the servers that contain the Elastisearch database in question. Not only was this database unprotected, but so was Kibana, a web-based app that helps one navigate through the data easier.
It is possible that the databases are misconfigured, rather than purposely left open. This has been an issue in the past with other databases. MongoDB comes to mind.
For companies who manage databases, be sure to configure them securely. If you’re not sure if they are, test them. If you need assistance, call someone who knows how to do this that you trust.
For customers of the smart home products in question, change your Orvibo product passwords to something strong. Passwords should always be unique to each device and website, and contain upper and lowercase letters, numbers, special characters, and not be easy to guess or contain personal information, such as your birthdate.
And if and when a patch is released, apply it right away. So far, there is no news from the company at all, let alone if they will create a patch. But if they do, don’t wait to get it applied.