Update: Orvibo secured their Elasticsearch server and sent us details on the measures taken after receiving vpnMentor's report (the response is attached at the end of the story).

A publicly accessible ElasticSearch cluster owned by Orvibo, a Chinese smart home solutions provider, leaked more than two billion user logs containing sensitive data of customers from countries all over the world.

Orvibo provides its clients with smart solutions designed to help them manage houses, offices, and hotel rooms via smart systems that offer security and energy management, as well as remote control and data recording/analysis using a smart home cloud platform.

Among the devices Orvibo's smart home solutions allow its users to control, the company's cloud platform comes with support for interaction center, smart lighting, home security, HVAC, energy management, and home entertainment devices.

Sample of Orvibo leaked data

The exposed Orvibo database "includes over 2 billion logs that record everything from usernames, email addresses, and passwords, to precise locations" and it's still online given that the company did not respond to vpnMentor‘s research team who reached out on June 16.

As the researchers also state, "as long as the database remains open, the amount of data available continues to increase each day," with users from all over the world including China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil being affected by the data leak.

Among the customer data exposed by the unprotected Elasticsearch cluster were:

• Email addresses

• Passwords

• Account reset codes

• Precise user geolocation

• IP addresses

• Username & UserID

• Family name & Family ID

• Device name & Device that accessed account

• Recorded conversations through Smart Camera

• Scheduling information

The database leaked account reset codes that might allow potential attackers to lock Orvibo users out of their accounts without the need of using the users' passwords in the process.

To make things even worse, by changing both the password and the email address, the account could be unrecoverable providing hackers with "full control of their smart home devices."

The vpnMentor research team found that "the video feed from the smart cameras is easily accessible by entering the owner’s account with the credentials found in the database" for users who added security cameras to their Orvibo smart home management accounts.

Also, unlocking the users' smart door locks combined with precise geolocation and schedules swiped from built-in calendar displays exposes them to home break-ins.

Sample Orvibo Smart Camera log

Even though there is a small upside to all this given that Orvibo hashed its users' passwords, unfortunately, they were hashed using MD5 without salt which means that they could easily be cracked by a bad actor who gets his hands on them, subsequently taking control of the accounts.

"If Orvibo had added salt to their hashed passwords, it would have created a more complex string that is far more difficult to crack," says vpnMentor's report.

Securing ElasticSearch servers

Publicly-accessible ElasticSearch servers are constantly being discovered despite the core security features of the Elastic Stack becoming free according to an announcement made by Elastic NV on May 20.

"This means that users can now encrypt network traffic, create and manage users, define roles that protect index and cluster level access, and fully secure Kibana with Spaces" as per ElasticSearch's developers.

As ElasticSearch's developers also detailed back in December 2013, Elastisearch clusters should ​​​​only be accessible by users on the local network to make sure that only the owners of the databases can access them.

Elastic NV also urges admins to secure the ElasticSearch stack by "encrypting communications, role-based access control, IP filtering, and auditing," to configure passwords for their servers' built-in users, as well as to properly configure the cluster before to deploying it.

While vpnMentor's research team contacted Orbivo to get the database down before publicly disclosing the data leak, we do not know if they also tried reaching out to CN-CERT to help them get in touch with the company and securing the DB — we asked vpnMentor if they did but had not received a response until this article was published.

BleepingComputer reached out to Orvibo and CN-CERT for comment and to secure the database but had not heard back at the time of this publication. This article will be updated when a response is received.

Update July 04 07:59 EDT: Orvibo secured the database and responded with the following statement: