
Two Billion Records Exposed in 'Smart Home' Breach - louisstow
https://secalerts.co/article/two-billion-records-exposed-in-smart-home-breach/5e204721
======
m34
(tech) people tend to laugh at me/pull the tinfoil hat card for putting my
dlink/iot stuff behind a very restrictive, dedicated, iptables filtered,
hostapd based custom network running on my pi zero w that isn’t allowed to
talk to the home network or internet at all.

As mentioned by others, I guess it really needs severe identity theft/abuse
with vital services until people realize that today‘s IoT 'plug & play' is
worse than than the level of 'plug & pray' we‘ve seen in the early
PCI/USB/Win98 era (that only impacted your local device functionality).

~~~
gumby
The first consumer router that supports a VLAN specifically designed for iot
devices should sell well. Who will be first?

~~~
bencollier49
Why would regular VLAN support not work to secure or segregate IoT devices?

~~~
dboreham
It would but most consumer devices don't support VLANs and if they did no
consumer would know how to configure them.

If you do need low cost VLAN-capable gear I've had success with TP-Link
switches and Mikrotik WiFi APs.

------
OJFord
> a misconfigured and Internet-facing Elasticsearch database without a
> password." If this wasn't bad enough, a Kibana web-based app, there to make
> navigating through the data easier, had no password protection.

That's not even really 'exposed in breach', that's just 'exposed'.

~~~
quickthrower2
If the Kibana app wasn't exposed I could surely host my own and connect it to
the same exposed Elastic Search.

It's like saying "someone stole my keys ... and if that wasn't bad enough they
got the key ring!"

~~~
OJFord
I think in some sense having an admin interface exposed as well as the admin
API is 'worse'.

I completely agree that it doesn't make it less secure, but it does make it
more.. 'oh come on'. I mean, nobody who was using it legitimately realised?

------
monocasa
You know what they say: it's the 'S' in 'IoT' that stands for security.

~~~
TickleSteve
this is simply server security... the application happens to be classed as
IoT, but this is has nothing to do with the IoT aspects.

~~~
hallihax
If the functionality of your home depends on a privately owned, 3rd-party
server, then I'd say it very much highlights the potential risks of IoT
devices / applications.

~~~
SmellyGeekBoy
My electricity, gas, water etc all come from 3rd-party providers and work just
fine. Probably because they're all heavily regulated.

(FWIW I don't have any IoT devices in my house)

~~~
hallihax
They work just fine because you don't need to log in to your electricity meter
to turn your lights on.

------
userbinator
IMHO more disturbing than the lack of security is the fact that people will
willingly put these products in their house that phone home to a central
database.

I'm not into the whole IoT thing but if I really had a need to control
something from anywhere on the Internet, it would not rely on a centralised
third-party service.

~~~
sureaboutthis
I will immediately tell my Mom to not rely on such services and install
something else.

~~~
RHSeeger
You mock, buy that's exactly what you should be doing; telling your mother she
doesn't need an IoT toaster.

~~~
sureaboutthis
That's not the point I made to the statement he made so your comment has
nothing to do with this.

------
class4behavior
>It's unknown if anyone has taken advantage of the vulnerability (yet) and, as
of July 1, the database was still accessible with no password protection.

And this article had been published today... The database had been closed a
day later on July 2.

Here the the original report instead of a Forbes article:
[https://www.vpnmentor.com/blog/report-orvibo-
leak/](https://www.vpnmentor.com/blog/report-orvibo-leak/)

~~~
canofbars
It most certainly has been taken advantage of. Bots crawl the internet
checking for services on default ports without a password.

I was an victim of this recently when I got reports that my web app was down
and when I investigated it I saw there was a password on redis preventing the
app from connecting. I then found out the redis docker container was accepting
connections from the outer internet with no password and someone had connected
in and set a password on it (Probably just to alert me to the fact it was
exposed). Thankfully there was basically nothing in redis so no user data was
exposed.

------
walrus01
The Twitter account "internet of shit" tracks these sort of things.

Mark my words, eventually the world is going to see some sort of Fukushima
scale internet of shit disaster caused by poor security/architecture. I'm not
sure what form it will take, maybe mass pwnage of a device as commonplace as
Amazon echo or Google home, but it will be bad.

~~~
mrweasel
Agreed. We're putting devices that needs to be highly secured, ideally network
separated in the hands of normal people. People who either don't know that
they should updated their routers, or simply don't care.

At the same time, IoT devices are being sold by companies who think that a 10
years support cycle is "a long time" and who frequently will drop support for
devices when new models are released. The same companies often have terrible
models for customer support.

I was at a presentation of Microsofts Azure Sphere OS. The presenter proudly
proclaimed that they would have 10 year support cycle. Apparently I was the
only one in the audience who felt that 10 years is at least 5 years short of
what is needed.

~~~
canofbars
10 years is probably longer than most of these iot companies have been around.
Most of these devices probably get 1 year updates max before support being
dropped.

------
Aardappel
They were trying to expose more than 2 billion records, but had to stop when
the record count went to -2 billion.

------
ridaj
How do researchers just "come across" these massive data dumps

~~~
Fordec
Brute force search and intuition for areas to target (eg. likely open ports,
dictionary attacks)

~~~
glenneroo
Does brute forcing still work these days? I thought the wild-west free-for-all
scanning days would have ended, as ISPs (or someone in the routing chain)
would block such attempts? I haven't tried since the 90s because I'm slightly
paranoid about being classified as an evil hacker. Somewhat relatedly, my bank
recently wouldn't let me login (cryptic error message) because they started
using a "trusted IP scanner service" in the UK which had marked me as a proxy,
probably because I was running a Tor Relay last year. I had to send multiple
unblock requests, all of which were denied with canned responses that no, they
won't reclassify my IP. Only when I mentioned that I couldn't login to my bank
account did they finally unblock me. Point of my story is that it sure feels
like more gatekeepers are being implemented to stop "nefarious" operations.

~~~
Fordec
The thing about standard practices is that they don't come as standard. For
every 10 fort knox, there's at least one place with the side door left ajar.
You only hear about those instances when a hack makes the news in a sort of
reverse survivorship bias

~~~
glenneroo
So you're saying I could brute force scan IPs for vulnerabilities and won't
have to worry about being denied access by e.g. my ISP, CloudFlare, AWS, etc?

~~~
Fordec
There will be access denials, but don't use your laptop IP and change up when
it becomes a blocker. IPv6 has so many anyway you won't run out

------
gumby
> The information in the database belonged to Orvibo

Would things meaningfully become more secure if we had a legal framework under
which the information in the database belonged to each consumer? Or would a
simple click-through license make that moot?

------
MrGilbert
Does anyone know a decent tutorial or explanation, how to "secure" one's
network with IoT devices in it?

For instance, all my lights are controlled using IKEA's TRÅDFRI solution.
Also, they are integrated into my own HomeAssistant instance (dockerized),
which runs on my Unraid machine, which also hosts my data shares. Then we have
FireTV's, Echo's, we have a Xiaomi vacuum robot, and so on. The FireTV should
be able to access the data shares for playing back movies. Alexa can control
our lights, too.

I'm still struggeling to find a "one size fits all" solution.

~~~
dillonmckay
VLANs would help, but you need routers and switches, and APs that support
that.

You would restrict/allow certain ports between VLANs, only allowing the port
traffic you want.

~~~
tomatocracy
And be careful with switches. You also (at least ideally) want switches which
don't expose their own management interface to your isolated VLAN (usually
this is called 'management VLAN' as a feature description). My experience is
that of the consumer level 'Web managed' switches, only the dlink ones do
this.

------
lysp
Further details here:

[https://www.vpnmentor.com/blog/report-orvibo-
leak/](https://www.vpnmentor.com/blog/report-orvibo-leak/)

Which was posted a few days ago.

------
PedroBatista
Correct me if I'm wrong but isn't vanilla Elasticsearch open and insecure by
default? and password/token security features are only available in some paid
tier?

------
idiliv
How significant is the "two billion records" figure? According to the article,
the affected smart-home provider mereley "claims to have more than a million
users around the world". So presumably this database contains a lot of
redundant information?

~~~
TickleSteve
each user has many records.... from the numbers, I'm guessing around 2000 each
(probably light-on... light-off... light-on... light-off).

------
petarb
People need to stop exposing their Elasticsearch clusters and Kibana to the
internet. A lot of these "breaches" lately have been because of this.

I hope Elastic makes it more difficult to make your cluster public by default
in future versions.

------
k_sze
I have never setup Elasticsearch or Kibana mysslf, but is the setup process
_secure-by-default_? i.e. generate a random password or key by default, and
then you have to go out of your way to unsecure it?

~~~
kzrdude
I hope it has changed since I set up elasticsearch v5, which supports neither
authentication nor TLS without plugins.

~~~
Jonnerz
Nope it's very much still unsecure by default.

~~~
k_sze
Then aren’t those services/products partly to blame? There should be very few
legitimate reasons to leave those things unsecured, no?

~~~
tastroder
I'd be hard pressed for blaming them tbh. I think the reasoning is that these
are internal services you should put behind whatever measures you have put in
place anyway and not expose otherwise. While the previous comment is
technically correct about being unsecure by default, they also don't listen to
the outside world (see [1], network.host) by default. I've always thought that
makes sense for elastic tbh, security isn't their core business so by leaving
that part up to you they avoid screwing it up.

[1]
[https://www.elastic.co/guide/en/elasticsearch/reference/curr...](https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-
network.html)

~~~
SmellyGeekBoy
The same could be said about MySQL - but even that switched to entering a root
password and disallowing root login, as well as not binding to any network
interfaces until explicitly configured to do so. Of course this can all be
overridden with simple config changes but it's relatively "secure by default".

(just to pick an example I'm familiar with).

------
quickthrower2
Eerie as I am working on an unsecured ES instance and then I see this. My one
is just for playing though. No sensitive data there :-)

~~~
dillonmckay
What is the IP address?

;)

~~~
quickthrower2
77.89.79.66 :-)

------
lelima
I wonder what's the worst possible scenario, having access to your home
security cameras or more like using the email and password.

~~~
mobilemidget
Email access, people watching meh... I doubt they see something they don’t do
themselves, access to email however is way more information and a gateway to
more (online) access (probably including gaining access to cams)

~~~
oauea
Are you actually serious? If so, can you please post some pictures of your
genitalia and face here?

~~~
mobilemidget
The question was which would be the worst scenario, I gave my personal
opinion.

I did not explicitly say I would prefer neither to happen, but I wrongly
assumed that would not be necessary to write, my apologies.

