SmartMate, a smart home management platform, is leaking data about its customers and their device passwords via an ElasticSearch server that it left exposed on the internet without a password. The server belongs to Orvibo, a Chinese company based in the city of Shenzen, which runs SmartMate, a platform for managing smart appliances in a modern smart home.
Ben Herzberg, Director, Threat Research at Imperva:
Misconfigurations that leave servers open and vulnerable is something that we’ve seen resurface over and over again. Once servers are left “open,” it takes barely any time for attackers to become aware of the vulnerability and take over. In our research, we saw that specific to Redis servers, 75% of the open servers were taken over in cryptojacking schemes.
When these systems are left open attackers have a variety of options, they can either use the data to their advantage, take over resources, or work themselves even further into the networks of the organisation and infiltrate additional resources. In the case of SmartMate, the exposure of people’s personal information and device passwords from the breach of course is dangerous in itself, but there are also indirect problems that could arise as well, including:
- Though the passwords in this case are hashed, they’re kept with their “salt”, increasing attackers’ odds of cracking them.
- Using those credentials, attackers can also attempt to access other services and infrastructures, in what’s known as “credential stuffing” attacks, which may assist attackers in gaining additional assets.
- With respect to Orvibo’s lack of a response and remediation of the leaky server is irresponsible and extremely dangerous.
Jake Moore, Cybersecurity Specialist at ESET:
“This just highlights the sheer magnitude of endless possibilities open to poor security on IoT devices. By not looking after personally identifiable and confidential data at the back end of a website has just as much risk attached as not using a password at all. Criminal groups may have been aware of this vulnerability but it is unknown if anyone has taken advantage of this flaw yet and I’d hope it would be patched quite quickly now it is out. What a criminal hacker could do with this goes as far as their imagination will take them.
The best thing now for people affected is to make sure their smart device passwords are changed immediately to something long and complex along with other accounts where the same password may be reused. However, if cyber-criminal gangs are already in and watching their every move before a patch is installed, they may as well pull the plug on the device until it is fixed.”
Anurag Kahol, CTO at Bitglass:
“Unfortunately, people commonly reuse passwords across multiple accounts. This means that if a cybercriminal obtains a single password, then they can potentially gain access to a number of accounts across multiple services that their victim uses. A database containing billions of records of passwords, email addresses, usernames, and devices’ IP addresses could be misused by bad actors in many different ways. It’s even plausible that a hacker could gain control over the smart devices linked to customers’ accounts in order to unlock doors and turn off security cameras, facilitating break-ins and burglaries. This is a prime example of how poor cybersecurity can also foster physical security threats.”
Jonathan Bensen, CISO at Balbix:
“By failing to secure its EU customers’ data, Orvibo is susceptible to penalties under GDPR. And given the nature of this breach and the sensitive consumer data exposed, it would not be surprising to see further litigations taken on behalf of citizens in other countries, including the U.S. As more Chinese companies expand into the U.S. without taking proper security precautions, they expose themselves to lawsuits. For example, China-based Huazshu Group was sued last October by a Huazshu shareholder in the Central District of California after the company’s breach of 123 million records of registration data.
Misconfigurations like this have become commonplace. Organizations are tasked with the cumbersome burden of continuously monitoring all assets and hundreds of potential attack vectors to detect vulnerabilities. Through this process, companies are likely to detect tens of thousands of vulnerabilities—far too many to tackle all at once. The key to preventing a breach like what Orvibo has suffered is to leverage security tools that employ artificial intelligence and machine learning that analyze the tens of thousands of data signals to prioritize which vulnerabilities to fix first, based on risk and business criticality. Obviously in this case, adding a password to the ElasticSearch server containing over two billion record logs for the over one million customers of the company should have been prioritized. Organizations must adopt advanced security platforms to proactively manage risk and avoid breaches instead of reacting to a security incident after it occurs.”
Anurag Kahol, CTO at Bitglass:
“Unfortunately, people commonly reuse passwords across multiple accounts. This means that if a cybercriminal obtains a single password, then they can potentially gain access to a number of accounts across multiple services that their victim uses. A database containing billions of records of passwords, email addresses, usernames, and devices’ IP addresses could be misused by bad actors in many different ways. It’s even plausible that a hacker could gain control over the smart devices linked to customers’ accounts in order to unlock doors and turn off security cameras, facilitating break-ins and burglaries. This is a prime example of how poor cybersecurity can also foster physical security threats.
Basic password protection is a must for organizations looking to protect their sensitive data in the cloud. Organizations should authenticate their users in order to ensure that they are who they say they are before granting them access to IT resources. Fortunately, multi-factor authentication (MFA) and user and entity behavior analytics (UEBA) are two tools that can help companies to defend customer information as well as the rest of their corporate data.”
Ben Goodman, CISSP and SVP at ForgeRock:
“The data encased in Orvibo’s misconfigured server is extremely specific and creates the opportunity for a malicious actor to cross-reference this data with previously pilfered information on the dark web from other breaches to create a highly-effective credential stuffing list. This is a perfect example of how a data breach at one business can open up a new cyberthreat for other organizations, something that 61% of CEOs are aware of according to PwC’s 19th Annual Global CEO Survey.
Unfortunately, data breaches due to misconfigurations have become a trend in 2019. Verifications.io, Ascension, VOIPo, Dow Jones, Blur, UW Medicine and now Orvibo are just a fraction of organizations that have leaked massive amounts of customer data due to what is seen as a seemingly simple error. As increased data privacy standards becomes a larger topic in the public eye, the approaching enactment of the CCPA, for example, security leaders are feeling the added pressure of securing customer data while maintaining compliance to avoid litigation and penalties.
To stop, or at least slow malicious actors, companies must leverage security strategies and tools that respect customer privacy and prescribe real-time, contextual and continuous security that detects unusual behavior and prompts further action, such as identity verification via multi-factor authentication (MFA).
It is also crucial that organizations begin to eliminate knowledge-based answers for password resets as they represent another highly susceptible attack vector for threat actors to target in order to gain unauthorized access to individuals’ accounts. For example, “where did you go to high school/college” and “what city were you born in” are two commonly asked questions for password resets that a hacker can potentially find the answer to by looking at the user’s social profiles, meaning that a threat actor can gain unauthorized access with extremely limited information. However, more complex personally identifiable information (PII) that gets leaked can allow a hacker to guess the answers to even the most complex questions.”
Chris DeRamus, Co-founder and CTO at DivvyCloud:
“The customer data accessible through Orvibo’s leaky server can result in real-world implications through several different vectors. For example, by using the leaked information to gain unauthorized access to a user’s account, a hacker could orchestrate a robbery, turn off the power, or even spy on users through SmartMate-connected cameras. This misconfiguration is an example of one of many security issues within the IoT industry that need to be dealt with by providers immediately.
Seeing as Orvibo boasts over one million customers and the database had more than two billion log entries, it makes sense why the company was embracing self-service access to cloud services and software-defined infrastructure. The speed and agility of those services are essential for companies that seek to gain and maintain a competitive edge. Unfortunately, developers and engineers can often move too quickly and bypass critical security and compliance policies. The speed of workload deployment, rate of change and an increasing number of customers can easily overwhelm organizations and impede their ability to keep customers data secure.
Leaving servers unprotected seems like such a simple mistake to avoid, but more and more companies suffer data breaches as the result of misconfigurations, and we read about them in the news almost every day—such as Tech Data’s breach early last month. The truth is, organizations are lacking the proper tools to identify and remediate insecure software configurations and deployments on a continuous basis. Automated cloud security solutions give companies the ability to detect misconfigurations and alert the appropriate personnel to correct the issue, and they can even trigger automated remediation in real time.”
Ilia Kolochenko, Founder and CEO at ImmuniWeb:
“Unfortunately, such overt negligence is not that uncommon amid IoT and smart homes vendors. Most of them compete on a turbulent, aggressive and highly competitive global market and in order to stay afloat, they have to slay internal security costs. Consequentially, their business may be ruined by private and class lawsuits, let alone penalties and fines imposed by regulatory authorities. The victims don’t really have a recourse but to file a legal complaint and deactivate any remote management of their homes if it is doable. Those who use the same or similar passwords shall change them immediately.
Worse, many similar incidents never go to the media, ending up in hands of cybercriminals. The more we will entrust our daily lives to precarious vendors, the more detrimental and dangerous risks we will eventually face. In a couple of years, attackers will likely be able to conduct mass killings of unwitting users of many emerging technologies.”