Orvibo is a management platform for the Internet of things (IoT) and is based in Shenzhen, China. Clientele of the company includes anything from big users of smart home technology, such as hotels, energy companies, and security, to personal users of AI smart home tech. They claim to have hundreds of different automation and smart home products.
Lack of protection
Researchers found that the Chinese firm was being used without any password protection, leaving files at risk of exposure to hackers, viruses and security problems, amongst other potential issues.
Forbes reported that the firm is home to over 2 billion logs that include information from user passwords to account reset codes. Other breaches include the information on precise geolocation and scheduling information.
Personal information such as names, email address and home addresses were also left unprotected.
vpnMentor, who discovered the issue, highlighted the particular worry to be around reset codes when saying in a report, “These would be sent to a user to reset either their password or their email address.” Adding that, “with that information readily accessible, a hacker could lock a user out of their account without needing their password. Changing both a password and an email address could make the action irreversible.”
The IoT company have logs all over the world, according to vpnMentor, inclusive of Europe, The Americas, and Australia.
It was only on 2nd July that Orbivo responded to the breach, which they had been alerted to over 2 weeks before. (Ed: ORVIBO have now stated publicly that they had already secured the vulnerability by July 2nd).
The researchers also commented on the worrying amount of data that had been exposed. In the blog post, they said, “There was enough information to put together several threads and create a full picture of a user’s identity,”
Orvibo has also been using the MD5 hashing mechanism to protect passwords, which leaves passwords both insecure and easy to crack.
Adding to this, the company also failed to salt passwords, which is a cryptography method used to safeguard passwords and make them more secure.
vpnMentor added “Even with strong passwords, however, Orvibo’s database included a dangerous piece of information,”
“When examining their records, we found account reset codes in the data logs. These would be sent to a user to reset either their password or their email address. With that information readily accessible, a hacker could lock a user out of their account without needing their password.”