Related vulnerabilities have now been patched: the Orvibo smart home devices disclosure of user information-bug warning-the black bar safety net

2019-07-03T00:00:00
ID MYHACK58:62201994872
Type myhack58
Reporter 佚名
Modified 2019-07-03T00:00:00

Description

From Orvibo aspect to understand, this relates to the information disclosure of the security vulnerability has now been fixed, and the user information of the protection level, at the same time they also want and professional information security research team into cooperation with the protection of IOT security. At the same time, vpnMentor of the security research team at the blog has also been updated, has confirmed that the problem has been fixed. The following figure is Orvibo aspect of the announcement in English ! Overview Recently, vpnMentor the research team found Orvibo the user database has occurred data breach. By Noam Rotem and Ran Locar leader of network security research team found a with Orvibo smart home products related to the open database. The database contains over 20 billion log records includes a user name, email address, password, precise positioning, including all content. As long as the database remains open, the daily amount of data available will continue to increase. Orvibo claim that they have about a million users, including the use of Orvibo smart home devices in the home, hotel and commercial environment. The database leaked, constituted a violation of user privacy and security a huge threat, with far-reaching impact. Data breaches will impact users from around the world, we at log saw from China, Japan, Thailand, USA, UK, Mexico, France, Australia and Brazil, the user. We expect that in the more than 20 million logs in, there are more users. Our first in 6 months 16 days through e-mail way to try and Orvibo made contact, the subsequent days have not received a reply, at the same time, we are also on Twitter, post a tweet, alerting them to data breaches of the act. However, the enterprise still did not any response, but also did not turn off the data leak source. Leak the database of specific content Orvibo Server provides the amount of data is very large, and the content is also very specific and direct manifestation of the intelligent home device collection to which the user's data. According to the company promotion, there are more than 100 million users in households and businesses installed Orvibo products. This headquarters is located in Shenzhen, the company produces 100 different models of the smart home or the intelligent automation products. Here the number of data breaches, including the following data: 1, e-mail address 2, password 3, account reset code 4, precise geographic positioning 5, the IP address of the 6, the user name 7, the user ID 8, family name 9, the family ID 10, the smart device information 11, the Access account of the type of device 12, a schedule information ! In the first example, we can see Orvibo are collecting about its users large amounts of data. In the specific scenario, not all data points have been recorded. However, we are also in the other scene found in a specific geographical data, family name, user name, password, and to allow the accounts to take over the reset code. ! ! These data logs for the same account, we can use the matching email address and the user ID to be verified. In the beginning, we only have e-mail address, IP address and reset the code. In the data access this code, the attacker can easily prohibit the user to log in to their own account, without the need to log on to their electronic mailbox of the case you can reset the password. The code applicable to want to reset their e-mail address or password of the user, this means that a malicious attacker can first change the password, and then change the email address way, to permanently lock the user account. Orvibo did in the password security has made some efforts, such as they used MD5 for password hashing. ! ! The example above only reflects our location data in a fraction of the sample. Orvibo will record the exact latitude and longitude coordinates of that data in the latotide it. The coordinate precision can be our guide to the user's exact address, it also shows that their product itself will have on the user's location to be tracked, rather than according to IP addresses to determine location. ! In a Mexican user of the data, will accurately display the user in the recorded data when connected to which device. According to Orvibo the official website of the above description, HomeMate is a complete smart home system, it uses the full range of products connected to the user's entire family. Its number of data also showed that an attacker could exploit this vulnerability when a user of a vulnerable extent. ! Smart mirror is Orvibo one of the products, the mirror can display weather and time plan. We found a log, recording the user using a custom name to create a time plan.“ Winter week AM”the description about the user's calendar for accurate information. ! Here is a data log, which contains with a single account associated with a large number of devices. We can clearly see that the user have a station Orvibo smart camera. In addition, there is a device named“massage room”in the massage room. Although not all the device name can tell us the location of the device, but if an attacker wants, the device name might help of illegal personnel identification of equipment specific location, in order to facilitate the attacker's follow-up attack. Also, the“massage room”this name may also indicate that these data are derived from an enterprise. !

[1] [2] next