Smart home product firm left personal data for 1 million users unsecured

By Wei Sheng
2 min read
Screenshot of leaked data that contains the user’s username and password. (Image credit: vpnMentor)

Security researchers published a report Monday saying lax security protocols for a publicly accessible database created by a Chinese smart home device maker could allow hackers to take control of the more than 1 million homes which use the company’s products.

The database, which is owned by Shenzhen-based smart home product maker Orvibo, includes an excess of 2 billion logs including user names, email addresses, and passwords to precise geolocations, according to a report by the cybersecurity research firm vpnMentor.

The vpnMentor report said much of the data leaked could be pieced together to disrupt and gain access to users’ homes and possibly lead to further hacks.

Orvibo’s products include SmartMate, a platform that manages smart appliances, a lighting control system for smartphones, and a home security system that controls smart locks and security cameras, according to its website.

“A malicious actor could easily access the video feed from one of Orvibo’s smart cameras by entering into another user’s account with the credentials found in the database,” said the report. It would be easy to unlock a door from the same account, it said.

An email query to Orvibo on Tuesday went unanswered. A woman who answered the phone at Orvibo’s Shenzhen office said nobody was immediately available to respond to media queries.

Orvibo says it has around 1 million users, including individuals, hotels, and other businesses who use the company’s smart home devices. The data breach affects users from China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil, according to the report.

The report said hackers would be able to easily take the whole network of a business offline with a fully connected set of Orvibo’s smart home items. “When an entire building or dwelling relies on connected technology for security, an outage can stop the whole operation,” the vpnMentor report said.

The report, which was published on Monday, said that security for the database had still not been rectified at time of publishing despite efforts from vpnMentor to alert Orvibo through various channels including email and Twitter.

A vpnMentor spokeswoman told TechNode on Tuesday afternoon that the server which hosts the database had been closed and is no longer accessible.