SoylentNews

Billions of Records Leaked by Smart Home Vendor

posted by Fnord666 on Tuesday July 02 2019, @01:22PM   
from the no-salt-added dept.

RandomFactor writes:

BleepingComputer reports that Chinese smart home vendor Orvibo has an unsecured database online that exposes over 2 billion logs detailing usernames, email address, passwords and more.

The disclosing research firm's report is available here.

vpnMentor's research team reached out to the vendor on June 16th, but did not receive a response and as of publication the database is apparently still online and the amount of data exposed is still increasing.

Exposed data includes:

• Email addresses
• Passwords
• Account reset codes
• Precise user geolocation
• IP addresses
• Username & UserID
• Family name & Family ID
• Device name & Device that accessed account
• Recorded conversations through Smart Camera
• Scheduling information

Passwords are hashed but without adding a salt, making them relatively easy to crack.

Possibilities for hackers are myriad, including completely locking users out of their own accounts and taking complete control of smart homes, accessing video feeds, unlocking doors and more.

---

Original Submission

• details? details? (Score: 1, Interesting) by Anonymous Coward on Tuesday July 02 2019, @02:16PM (4 children)

  by Anonymous Coward on Tuesday July 02 2019, @02:16PM (#862389)

  Random curiosity--

  Any idea how many customers it took to generate "over 2 billion logs"?
  Might not be that many customers, but hundreds or thousands of logs saved from each customer, every day??
  If this has been going on for ~3 years (1000 days), that suggests 2 million logs per day...

  Doesn't bother me, my house is dumb and happy. Just swapped the programmable thermostat (that was nearly impossible to program) for a non-programmable one. When we want air conditioning, we turn it on, simple.

  Starting Score:	0		points
  Moderation		+1
  Interesting=1, Total=1
  Extra 'Interesting' Modifier		0
  Total Score:		1

• Re:details? Re:details? (Score: 2) by EvilSS on Tuesday July 02 2019, @02:32PM (3 children)

  by EvilSS (1456) on Tuesday July 02 2019, @02:32PM (#862400)

  We really need to consider it on a per-device basis, since a customer can have more than one in their home. If they are logging every connection from every device, then yea, that's not an unreasonable amount. If every device checks in once a minute with the vendor servers (got to check for actions from users on their phones out of the home after all, or possibly even in the home depending on how the system is designed), that's 1,440 connections per device per day.

  Parent

  • Re:details? Re:details? (Score: 2, Interesting) by Anonymous Coward on Tuesday July 02 2019, @03:16PM (2 children)

    by Anonymous Coward on Tuesday July 02 2019, @03:16PM (#862412)

    One system I worked on a few billion logs would be a week or two of data for these sorts of devices. We had about 3-6 million devices at any one point in time going. Then each device would have a roll up record of hundreds of telemetry events. So a few billion is not even 'hard' to do. I could never get a clear answer why we kept that data though. *no one* actually looked at it.

    Parent

    • Re:details? (Score: 3, Insightful) by SomeGuy on Tuesday July 02 2019, @04:32PM

      by SomeGuy (5632) on Tuesday July 02 2019, @04:32PM (#862440)

      TL;DR version - The answer to the OP is: there are WAY TOO MANY idiots just handing over their data to these IoT assholes, and it needs to stop.

      Parent

    • Re:details? (Score: 0) by Anonymous Coward on Tuesday July 02 2019, @08:07PM

      by Anonymous Coward on Tuesday July 02 2019, @08:07PM (#862509)

      *no one* actually looked at it.

      Except the eventual hackers. And maybe the feds.

      Parent