The Orvibo disaster: billions of customer data leaked

In recent weeks there have again been numerous warnings about security risks in the IoT. The recently discovered Orvibo data leak puts most of them in the shade.

Recently, the new Silex malware attracted attention – it attacks potentially vulnerable IoT devices in a variety of ways, trying to utilize exploits and user convenience to gain access and disable devices.

Security researchers also found hair-raising vulnerabilities in smart home products from Eastern European manufacturer Zipato. With little effort, key data can be read from the communication of smart home devices with the cloud or the Internet, which in the worst case could lead to attackers obtaining root rights on the device.

However, attacks by Silex and hacks on Zipato devices require that potential attackers have a certain amount of technical expertise. In addition, the location and digital access routes must first be determined.

2 billion data records leaked

vpn Mentor‘s expert cyber security team – led by Noam Rotem and Ran Locar – discovered an open database associated with Orvibo Smart Home products. The database contains over 2 billion logs, covering everything from usernames, email addresses and passwords to exact locations.

Orvibo claims to have over a million users or customers. These include individuals who have networked their homes – as well as hotels and other businesses with Orvibo Smart Home devices.

The leak is a massive invasion of privacy and security with far-reaching implications. The data breach affects users from around the world. vpn Mentor further analyzed the database and found logs for users in China, Japan, Thailand, the United States, the United Kingdom, Mexico, France, Australia, Brazil and other countries. However, all customers from countries not mentioned in the list are also affected.

vpn Mentor first contacted Orvibo by e-mail on 16 June 2019 after finding the leak. Contrary to expectations, the provider did not react for several days. Orvibo also initially did not respond to the following tip via the Twitter short message service. It was only on 02 July 2019 – more than 2 weeks after the publication of the leak – that the database could no longer be reached.

The company sells a portfolio of more than 100 sensitive solutions for energy and security technology, lighting technology, residential leisure equipment and air-conditioning solutions. Orvibo products are used in homes, workplaces, hotels and restaurants.

In addition to the introductory information already mentioned, the Orvibo database also contains a great deal of other buyer information: In addition to e-mail addresses, passwords, geolocalisation of users, conversation data recorded with sensitive cameras, user names and IDs, IP addresses, account reset codes and system names. In addition, login data from gadgets accessing accounts, schedules and household names and IDs were also stored in the database.

Orvibo violates the EU’s basic data protection regulation to such an extent that legal action should not be long in coming. However, the users currently affected, whose data could possibly have fallen into the hands of third parties as a result of the leak, are becoming few and far between.

Anyone who has recently purchased a product from Orvino or Zipato – or put an IoT device from another manufacturer into operation and is unsure whether the device is adequately protected – should again take the simplest measures to increase security:

• Update the firmware of the devices.
• Secure all access/logins with new passwords.
• Deactivate unused accesses (e.g. guest accounts).
• Deactivate unused protocols (Telnet, FTP…).
• Keep your operating system up to date.
• Use a virus and malware scanner.

It’s also a good idea to think about whether it’s a device or service from a cheap, unknown vendor in the Far East – or whether investing in products and services from reputable vendors and manufacturers wouldn’t be a better step.