Company that runs SmartMate, a platform to manage smart home appliances, involved with leak of over 2 billion records
A company that runs SmartMate, a platform to manage smart home appliances, has leaked over 2 billion logs of highly sensitive information via a publicly accessible database.
Orvibo’s database leak – which includes usernames, emails, passwords, family names, precise locations of IoT devices, and account reset codes – is a result of a misconfigured backend server that doesn’t require a password, as reported by ZDNet.
What’s worrisome is that the compromised data contains precise coordinates pinpointing the user’s exact location. Combined with other disclosed information, criminals can piece together identifiable data to further disrupt a user’s home. This could also lead to victims being followed, stalked, robbed, or spied on.
Perhaps the worst damage involves the company’s logging of passwords and account reset codes, which were hashed but not salted. This practice means that the stored passwords could be discovered and decrypted, then used to log in to an account without their knowledge. Any malicious actor could hijack SmartMate accounts and take full control of the user’s smart devices virtually.
Orvibo claims to have millions of users, including businesses and consumers. Researchers studied hacked accounts in China, and saw some signs of the breach in Thailand, Japan, the U.S., the U.K., France, Mexico, Australia and Brazil.
The incident highlights how consumers willingly give up data in order to own affordable smart devices, and how crucial it is to secure them with a strong password. It also underscores the need to encourage vendors to adopt better security practices, as recommended by our latest research study with Stanford University.
“Vendors offering low-cost IoT devices and services haven’t made security a top priority,” commented Martin Hron, an Avast Security researcher who has worked extensively on IoT devices. “Backend cloud services – used to remotely manage IoT devices or collect statistics – suffer from weak or nonexistent security. The implications are serious because unauthorized access to cloud data usually exposes all of the users’ devices, no matter how secure the individual devices are. It’s a single point of security failure.”