Stories
Slash Boxes
Comments

SoylentNews is people

Billions of Records Leaked by Smart Home Vendor

posted by Fnord666 on Tuesday July 02 2019, @01:22PM   Printer-friendly
from the no-salt-added dept.

RandomFactor writes:

BleepingComputer reports that Chinese smart home vendor Orvibo has an unsecured database online that exposes over 2 billion logs detailing usernames, email address, passwords and more.

The disclosing research firm's report is available here.

vpnMentor's research team reached out to the vendor on June 16th, but did not receive a response and as of publication the database is apparently still online and the amount of data exposed is still increasing.

Exposed data includes:

  • Email addresses
  • Passwords
  • Account reset codes
  • Precise user geolocation
  • IP addresses
  • Username & UserID
  • Family name & Family ID
  • Device name & Device that accessed account
  • Recorded conversations through Smart Camera
  • Scheduling information

Passwords are hashed but without adding a salt, making them relatively easy to crack.

Possibilities for hackers are myriad, including completely locking users out of their own accounts and taking complete control of smart homes, accessing video feeds, unlocking doors and more.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Billions of Records Leaked by Smart Home Vendor | Log In/Create an Account | Top | 15 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 1, Interesting) by Anonymous Coward on Tuesday July 02 2019, @02:16PM (4 children)

    by Anonymous Coward on Tuesday July 02 2019, @02:16PM (#862389)

    Random curiosity--

    Any idea how many customers it took to generate "over 2 billion logs"?
    Might not be that many customers, but hundreds or thousands of logs saved from each customer, every day??
    If this has been going on for ~3 years (1000 days), that suggests 2 million logs per day...

    Doesn't bother me, my house is dumb and happy. Just swapped the programmable thermostat (that was nearly impossible to program) for a non-programmable one. When we want air conditioning, we turn it on, simple.

    • (Score: 2) by EvilSS on Tuesday July 02 2019, @02:32PM (3 children)

      by EvilSS (1456) Subscriber Badge on Tuesday July 02 2019, @02:32PM (#862400)
      We really need to consider it on a per-device basis, since a customer can have more than one in their home. If they are logging every connection from every device, then yea, that's not an unreasonable amount. If every device checks in once a minute with the vendor servers (got to check for actions from users on their phones out of the home after all, or possibly even in the home depending on how the system is designed), that's 1,440 connections per device per day.

      • (Score: 2, Interesting) by Anonymous Coward on Tuesday July 02 2019, @03:16PM (2 children)

        by Anonymous Coward on Tuesday July 02 2019, @03:16PM (#862412)

        One system I worked on a few billion logs would be a week or two of data for these sorts of devices. We had about 3-6 million devices at any one point in time going. Then each device would have a roll up record of hundreds of telemetry events. So a few billion is not even 'hard' to do. I could never get a clear answer why we kept that data though. *no one* actually looked at it.

        • (Score: 3, Insightful) by SomeGuy on Tuesday July 02 2019, @04:32PM

          by SomeGuy (5632) on Tuesday July 02 2019, @04:32PM (#862440)

          TL;DR version - The answer to the OP is: there are WAY TOO MANY idiots just handing over their data to these IoT assholes, and it needs to stop.

        • (Score: 0) by Anonymous Coward on Tuesday July 02 2019, @08:07PM

          by Anonymous Coward on Tuesday July 02 2019, @08:07PM (#862509)

          *no one* actually looked at it.

          Except the eventual hackers. And maybe the feds.

  • (Score: 1, Insightful) by Anonymous Coward on Tuesday July 02 2019, @02:21PM (9 children)

    by Anonymous Coward on Tuesday July 02 2019, @02:21PM (#862391)

    We don't need more legislation. [securityweek.com] Just sue them [thomsonreuters.com] until data breeches stop.

    • (Score: 0) by Anonymous Coward on Tuesday July 02 2019, @02:29PM (4 children)

      by Anonymous Coward on Tuesday July 02 2019, @02:29PM (#862397)

      Nice idea, but if I'm in USA and I sue a Chinese company I don't think there is any chance I'll ever see any kind of settlement. Thus, no lawyer will take this case on speculation?

      • (Score: 0) by Anonymous Coward on Tuesday July 02 2019, @04:25PM (2 children)

        by Anonymous Coward on Tuesday July 02 2019, @04:25PM (#862438)

        Of course you sue the American reseller of the Chinese crap.

        • (Score: 0) by Anonymous Coward on Tuesday July 02 2019, @04:45PM (1 child)

          by Anonymous Coward on Tuesday July 02 2019, @04:45PM (#862448)

          Nah, I'm too clever for that, I buy through eBay (or AliExpress etc), direct from a Chinese dealer.

          • (Score: 0) by Anonymous Coward on Tuesday July 02 2019, @05:08PM

            by Anonymous Coward on Tuesday July 02 2019, @05:08PM (#862456)

            How much did you save buying direct? Don't forget to add in the cost of losing your right to seek redress and your privacy.

      • (Score: 3, Touché) by PartTimeZombie on Tuesday July 02 2019, @10:59PM

        by PartTimeZombie (4827) on Tuesday July 02 2019, @10:59PM (#862566)

        ...but if I'm in USA and I sue a Chinese company...

        If you're in the US and you sue an American company that happens to be rich and determined, what chance do you think you will have to prevail?

    • (Score: 3, Insightful) by TheRaven on Tuesday July 02 2019, @03:48PM (1 child)

      by TheRaven (270) on Tuesday July 02 2019, @03:48PM (#862421) Journal
      So you sue a Chinese Internet of Crap vendor. They don't defend themselves and you get a summary judgement. They have no assets in the country you're in, so you manage to get the court to order an injunction that prevents them from bringing any of their products into your country. They go bankrupt, their factories, brand trademarks, and product designs are bought by another Chinese company that happens to have the same set of directors and shareholders and all of the employees move over. They sell a new version of the product. Who wins?
      --
      sudo mod me up

    • (Score: 2) by ikanreed on Tuesday July 02 2019, @03:59PM

      by ikanreed (3164) on Tuesday July 02 2019, @03:59PM (#862426) Journal

      Lol, like these shitty things don't come with a fucking EULA that says "Not fit for any purpose" that you have to agree to before you can heat or cool your house.

    • (Score: 4, Informative) by Thexalon on Tuesday July 02 2019, @04:25PM

      by Thexalon (636) Subscriber Badge on Tuesday July 02 2019, @04:25PM (#862437)

      Just sue them

      That sounds great in theory, but:
      1. If you're in the USA, in a lot of cases, you can't. If you actually read the EULA, you'll often see that there's a section requiring that any dispute go into binding arbitration where they get to pick the arbitrator, and bans you from filing a class action suit in the event that the company does something bad to millions of people. The Supreme Court has repeatedly upheld this all as completely legal, and made it so these rules actually trump state laws as well.

      2. If they have 10 million affected customers, and assets of, say, $100 million, guess what the limit is on what you're getting in damages?

      3. Even if you win, you still have to collect damages, and that's easier said than done. Sometimes the mechanism for getting paid involves things like showing up with the sheriff and starting to take things [npr.org].

      --
      The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(1)