An open database belonging to smart device manufacturer Orvibo has been discovered by researchers from vpnMentor. The database contains over 2 billion log records which include information on everything from usernames, email addresses, and passwords, to precise locations and configuration settings of the Orvibo devices. Attempts to contact Orvibo, which is based in China, by the researchers have been unsuccessful as of July 1, and the database continues to be accessible and grow as new records are added.
Commentary: A blatant example of the dangers of IoT, especially when the company selling the product is unable to properly protect the information being collected. Looking at all of the information that is exposed in this database, I have to suspect that most users were probably unaware of all the information that was being collected from these products (over 100 different IoT products), as well as how it was being stored. In addition, the researchers discovered that the passwords, though hashed, were not salted and as a result were recoverable. For anyone wanting to physically rob companies and homes using these devices, this is a treasure trove of information.
To add additional irony to the incident, many of the IoT devices sold by Orvibo include security devices such as smart locks, security cameras and alarms.
Likely Threat(s): Nation-States?, Criminals?
Likely Motive(s): Espionage?, Sabotage?, Theft?
Likely Means: 2.1 Exploit weak/default endpoint credentials for access, 7.2 Break-in, 6.3 Inappropriate access to information
Opportunities: Secure Configurations, Data Subject Rights, Incident Response