A company that makes smart home devices is leaking customer data and device passwords thanks to a misconfigured server sitting exposed on the internet.
The server belongs to Orvibo, a Chinese company that makes the SmartMate platform for managing smart home devices.
The exposed database was spotted in mid-June by security researchers at vpnMentor. They say the server has captured at least two billion log entries, each holding data about an Orvibo SmartMate customer.
SmartMate is used to manage a variety of Orvibo’s smart products like lightbulbs, security cameras, home entertainment systems, smart metres, smart window curtain systems, thermostats, HVAC systems, smart door locks, and more.
“Having access to someone’s smart home account could allow a criminal to spy on potential victims.”
But the company looks to have misconfigured one of its database servers where recent connection logs are stored, leaving it connected to the Internet without a password.
Standard log data includes customer email addresses, IP addresses of smart devices, usernames, and encrypted passwords.
Precise geolocation data was also held in some cases, along with the customer’s family name, names of devices, and scheduling information like when to turn lights on.
Most worrying for customers: Orbivo is logging passwords and password reset codes.
Home is where the vulnerabilities are
The smart home phenomenon is on the rise. Juniper Research predicts that there will be 8 billion voice assistants in use by 2023. They also predict smart TV adoption will increase by 121% in the next 3 years.
While it may be convenient to remotely check your thermostat or see the back garden security camera from a smartphone, many cases have been documented where smart home devices like alarms, locks, and even baby monitors have been hacked.
Smart homes are typically managed from a central hub. Having access to someone’s smart home account could allow a criminal to spy on potential victims, see their schedule, or view security video feeds.
Thieves could plan robberies when they know people are likely to be out. They could also tamper with smart electric plugs, HVACs, or thermostats to spike energy usage or potentially disable some devices.
The options for mis-use and abuse of customer smart home accounts are practically endless
Researchers at Ben-Gurion University in Israel recently analysed 16 different smart home devices. They found that even security-critical devices like doorbells, locks, and smart cameras were fairly easy to hack.
There are a range of things you can do to secure your smart home. Some of them require additional spend but others are simple fixes you can make today.
Here are some of the top options:
DO YOUR HOMEWORK
Smart home devices are still a relatively new technology category and a multitude of vendors have jumped in, many competing mainly on price with better-known brands.
Given the kind of vulnerabilities you could be introducing into your home, it’s important to know if the company has a reputation for security – for example, updates its software frequently enough to protect against known threats.
Before you click ‘buy’, see what the internet has to say about it. Look at Trustpilot and Amazon reviews; and Google the product name along with “security vulnerabilities” as a search phrase.
SECURE YOUR HOME NETWORK
If your home router can accommodate it, try setting up a dedicated WiFi network only for connecting your smart devices. It will ensure that any network traffic associated with smart home devices moves through a line that’s separate from the one you use for your smart phone, tablet, or PCs.
GET RID OF DEFAULT PASSWORDS
Many smart home devices come pre-programmed with default passwords – which can be a gift to cybercriminals. Manufacturers do this so they can easily access the device remotely in order to apply software and firmware upgrades, but if an attacker gets hold of it, they can configure a device to their own ends.
Always change the default password on any smart home device you purchase. Use a strong password that can’t be easily cracked.
READ YOUR END USER AGREEMENT
No one likes wading through the legalese of computing end-user agreements, but at least take a look at the terms you’re signing up to before connecting a new device to your network.
Of course you have very little influence over you’re agreeing to, but you can compare other customer experiences. Google to find out, for example, if someone has already tried to identify what and where customer data is stored.
STICK WITH WELL-KNOWN MANUFACURERS
While we wouldn’t recommend spending more than you have to, at this early stage in the smart home market’s development, sticking with well-known brands can minimise the possibility of issues later on.
Google, Amazon, and Apple all have security problems of their own— but they also add physical mute buttons, for example to devices with a listening capability – and these can’t be bypassed easily.
Later when industry standards have been agreed, you’ll have benchmarks and ‘seals of approval’ to refer to along with a wide array of product choices.
For now, larger vendors have the resources to invest in consistent security updates – not to mention brand reputations to protect.
Smart Home. Smart Castle
If you want to go a step further, there are devices out there now like Bitdefender‘s Box, or Fingbox, that will monitor web traffic inbound to your smart devices.
They look for possible attacks and alert you if any new device or user attempts to access your network, and help block potential intrusions. Of course these come with additional cost.
As the tech industry works to make smart home devices safer, we’d counsel caution and a sensible level of mistrust.
Be smart about your smart devices. You might even wait before buying a new smart home gadget until it’s in second or third generation.
Going through a few iterations helps tech companies identify problems and smooth out any wrinkles.
Your smart home doesn’t have to be haunted by cybercriminals, as long as you take a few precautions beforehand.
Looking to raise awareness of cyber-security matters that directly affect your employees? Help your employees stay safe in the fight against cyber-crime – sign up for a free security awareness training demo. We help address cyber risk both at work and at home.