A company that makes a smart home management platform is leaking data about its customers and their device passwords via an Elasticsearch server that it left exposed on the internet without a password.
The server belongs to Orvibo, a Chinese company based in the city of Shenzen, which runs SmartMate, a platform for managing smart appliances in a modern smart home.
But the company appears to have misconfigured one of its backend servers -- namely an Elasticsearch database where recent connection logs would be aggregated -- which Orvibo left connected to the Internet without a password.
The database was spotted in mid-June by the security team at vpnMentor, led by security researchers Noam Rotem and Ran Locar, who shared their findings with ZDNet last month and asked for help in notifying the vendor.
Over the past two weeks, both vpnMentor and ZDNet have contacted the Chinese company to let it know about its security snafu; however, at the time of writing, Orvibo has failed to respond or take any action.
As the screenshot below shows, the leaky Elasticsearch server is still freely accessible online, holding connection log data as recent as July 1, 2019 (the date of this article's publication).
An associated Kibana installation running on the same server is also available, without a password. Kibana is a web-based app for navigating through an Elasticsearch server's data using a GUI instead of the default text-based interface.
User data and device password leaking
According to a vpnMentor report shared exclusively with ZDNet, in the past two weeks, the database appears to have cycled through at least two billion log entries, with each entry containing data about an Orvibo SmartMate customer.
The data for each log entry varied depending on the operation it was being logged, such as logins, password resets, device heartbeat (regular check-in), logouts, and others.
Typical data that one can find in these logs included Orvibo customers' email addresses, the IP addresses of the device checking in, Orvibo usernames, and hashed passwords.
In some cases, there was also precise geolocation information, a customer's family name, the device's name, and information about the device's scheduled operations (such as turning lights on at specific hours, or the home alert between specific intervals).
All the entries that ZDNet analyzed were in Chinese, but vpnMentor researchers say they've also spotted log entries for users in Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil. Data for customers in many other locations is most likely available, although, we have not specifically looked for it to confirm.
But the most worrying fact is that the company is logging both passwords and password reset codes.
"Orvibo does make some effort into concealing the passwords, which are hashed using MD5 without salt," the vpnMentor team said.
However, saltless MD5 passwords are relatively easy to crack, which means that anyone with access to this database could hijack SmartMate accounts and possibly take control of a user's smart devices connected to a user's SmartMate-controlled smart home.
Furthermore, even if the threat actor wouldn't be successful in cracking the MD5 passwords, he can set up watch for new log entries with password reset codes that are being added to the Elasticsearch server, which he could also utilize to hijack Orvibo accounts.
"With this code accessible in the data, you could easily lock a user out of their account, since you don't need access to their email to reset the password," the vpnMentor team said.
"The code is available for those who want to reset either their email address or password. This means a bad actor could permanently lock a user out of their account by changing first the password and then the email address."
Experts argue that access to people's smart home hub accounts would allow them to spy on users, their schedule, or security video feeds.
Criminal groups could orchestrate robberies when homeowners are away, or they could sabotage or play pranks on homeowners by spiking energy usage by tampering with smart electric plugs, HVACs, or thermostats.
The scenarios for abuse are practically endless, and the Chinese company needs to intervene as soon as possible to secure its server, and indirectly, its customers' devices and private information.
Updated on July 3 to add that Orvibo has secured the Elasticsearch cluster that leaked customer data.