A database containing billions of records was found to have been left exposed to the internet without any password to protect it. The database was owned by a Chinese company known as Orvibo with various smart home devices available in the market.
According to the vpnMentor security researchers who exposed the anomaly, the database contains various information including email addresses, passwords, precise geolocation, IP address, username, userID, family name and ID, smart device, device that access account, scheduling information, and account reset codes.
The researchers said that reset codes would be sent to a user to reset either their password or their email address. With this information available readily, hackers will be able to lock users out of their account without reading their password. Once both password and email address are changed, the user won’t be able to reverse it.
Some of Orvibo’s smart devices are home security devices such as smart locks, home security cameras, and full smart home kits. Ironically, with these vulnerabilities, there is nothing secure about smart devices at all. Deploying these devices in the hopes of getting secured undermines the owner's security instead of protecting it. Even worse is the fact that the Orvibo website claims that the company supports millions of IoT devices and it can guarantee that data are safe and secured.
Orvibo currently makes almost 100 smart home or smart automation devices. The company also claims that it has more than 1 million users globally. These do not only include individuals with smart home systems but hotels and business customers as well. The researchers have already discovered information for users in Japan, China, Thailand, Mexico, Australia, France, Brazil, the United Kingdom and even in the USA.
The good news is that there is still no known reports saying that anyone has taken advantage of the vulnerability. The database was closed on July 2nd.