SmartMate, a smart home management platform, is leaking data about its customers and their device passwords via an ElasticSearch server that it left exposed on the internet without a password. The server belongs to Orvibo, a Chinese company based in the city of Shenzen, which runs SmartMate, a platform for managing smart appliances in a modern smart home.
https://twitter.com/campuscodi/status/1145678691760070658
Experts Comments:
Ben Herzberg, Director, Threat Research at Imperva:
When these systems are left open attackers have a variety of options, they can either use the data to their advantage, take over resources, or work themselves even further into the networks of the organisation and infiltrate additional resources. In the case of SmartMate, the exposure of people’s personal information and device passwords from the breach of course is dangerous in itself, but there are also indirect problems that could arise as well, including:
- Though the passwords in this case are hashed, they’re kept with their “salt”, increasing attackers’ odds of cracking them.
- Using those credentials, attackers can also attempt to access other services and infrastructures, in what’s known as “credential stuffing” attacks, which may assist attackers in gaining additional assets.
- With respect to Orvibo’s lack of a response and remediation of the leaky server is irresponsible and extremely dangerous.
Jake Moore, Cybersecurity Specialist at ESET:
The best thing now for people affected is to make sure their smart device passwords are changed immediately to something long and complex along with other accounts where the same password may be reused. However, if cyber-criminal gangs are already in and watching their every move before a patch is installed, they may as well pull the plug on the device until it is fixed.”
Anurag Kahol, CTO at Bitglass:
Jonathan Bensen, CISO at Balbix:
Misconfigurations like this have become commonplace. Organizations are tasked with the cumbersome burden of continuously monitoring all assets and hundreds of potential attack vectors to detect vulnerabilities. Through this process, companies are likely to detect tens of thousands of vulnerabilities—far too many to tackle all at once. The key to preventing a breach like what Orvibo has suffered is to leverage security tools that employ artificial intelligence and machine learning that analyze the tens of thousands of data signals to prioritize which vulnerabilities to fix first, based on risk and business criticality. Obviously in this case, adding a password to the ElasticSearch server containing over two billion record logs for the over one million customers of the company should have been prioritized. Organizations must adopt advanced security platforms to proactively manage risk and avoid breaches instead of reacting to a security incident after it occurs.”
Anurag Kahol, CTO at Bitglass:
Basic password protection is a must for organizations looking to protect their sensitive data in the cloud. Organizations should authenticate their users in order to ensure that they are who they say they are before granting them access to IT resources. Fortunately, multi-factor authentication (MFA) and user and entity behavior analytics (UEBA) are two tools that can help companies to defend customer information as well as the rest of their corporate data.”
Ben Goodman, CISSP and SVP at ForgeRock:
Unfortunately, data breaches due to misconfigurations have become a trend in 2019. Verifications.io, Ascension, VOIPo, Dow Jones, Blur, UW Medicine and now Orvibo are just a fraction of organizations that have leaked massive amounts of customer data due to what is seen as a seemingly simple error. As increased data privacy standards becomes a larger topic in the public eye, the approaching enactment of the CCPA, for example, security leaders are feeling the added pressure of securing customer data while maintaining compliance to avoid litigation and penalties.
To stop, or at least slow malicious actors, companies must leverage security strategies and tools that respect customer privacy and prescribe real-time, contextual and continuous security that detects unusual behavior and prompts further action, such as identity verification via multi-factor authentication (MFA).
It is also crucial that organizations begin to eliminate knowledge-based answers for password resets as they represent another highly susceptible attack vector for threat actors to target in order to gain unauthorized access to individuals’ accounts. For example, “where did you go to high school/college” and “what city were you born in” are two commonly asked questions for password resets that a hacker can potentially find the answer to by looking at the user’s social profiles, meaning that a threat actor can gain unauthorized access with extremely limited information. However, more complex personally identifiable information (PII) that gets leaked can allow a hacker to guess the answers to even the most complex questions.”
Chris DeRamus, Co-founder and CTO at DivvyCloud:
Seeing as Orvibo boasts over one million customers and the database had more than two billion log entries, it makes sense why the company was embracing self-service access to cloud services and software-defined infrastructure. The speed and agility of those services are essential for companies that seek to gain and maintain a competitive edge. Unfortunately, developers and engineers can often move too quickly and bypass critical security and compliance policies. The speed of workload deployment, rate of change and an increasing number of customers can easily overwhelm organizations and impede their ability to keep customers data secure.
Leaving servers unprotected seems like such a simple mistake to avoid, but more and more companies suffer data breaches as the result of misconfigurations, and we read about them in the news almost every day—such as Tech Data’s breach early last month. The truth is, organizations are lacking the proper tools to identify and remediate insecure software configurations and deployments on a continuous basis. Automated cloud security solutions give companies the ability to detect misconfigurations and alert the appropriate personnel to correct the issue, and they can even trigger automated remediation in real time.”
Ilia Kolochenko, Founder and CEO at ImmuniWeb:
Worse, many similar incidents never go to the media, ending up in hands of cybercriminals. The more we will entrust our daily lives to precarious vendors, the more detrimental and dangerous risks we will eventually face. In a couple of years, attackers will likely be able to conduct mass killings of unwitting users of many emerging technologies.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.