2 Billion Records Exposed in Smart-Home Device Breach

July 3, 2019

Just how secure is that “smart” security camera or door lock? That is being called into question after reports of a massive data breach hitting the smart-home industry that could extend to smart locks, home security cameras, and full smart-home kits.

An database for devices manufactured by Orvibo, which runs an “internet of things” management platform, was left exposed to the internet without any password protection, security researchers with vpnMentor recently uncovered. The database includes more than 2 billion logs containing everything from user passwords to account reset codes and even conversations recorded by smart cameras, Forbes.com reports.

Orvibo manufactures about 100 different smart-home or smart-automation devices. The Chinese-based company offers cloud security for smart-home devices; the firm says it supports more than a million users with its IoT devices. Their customers include private individuals with smart-home systems as well as hotels and other business customers.

Security researchers with vpnMentor say the data exposed is extensive, including email addresses, passwords, account reset codes, IP address, usernames, user IDs, family name, smart device type, scheduling information, and more. The vpnMentor report also says that logs were found from users all over the world, from the U.S. and Mexico to Australia, Japan, and China.

The reset codes may be the most vulnerable of the information that could fall into hackers’ hands, researchers warn. "These would be sent to a user to reset either their password or their email address," the report explains. "With that information readily accessible, a hacker could lock a user out of their account without needing their password. Changing both a password and an email address could make the action irreversible."

Researchers say they do not know yet whether hackers have already been aware of the system’s vulnerability. But they say the company was first alerted to the issue on June 16. ZDNet reported this week that the database has remained accessible online without password protection.

"The best thing now for people affected is to make sure their smart-device passwords are changed immediately to something long and complex along with other accounts where the same password may be reused," Jake Moore, a cybersecurity specialist at ESET, told Forbes.com. However, he cautions that hackers could be watching before any patch is installed. Customers "may as well pull the plug on the device until it is fixed,” he says.