(tech) people tend to laugh at me/pull the tinfoil hat card for putting my dlink/iot stuff behind a very restrictive, dedicated, iptables filtered, hostapd based custom network running on my pi zero w that isn’t allowed to talk to the home network or internet at all.<p>As mentioned by others, I guess it really needs severe identity theft/abuse with vital services until people realize that today‘s IoT 'plug & play' is worse than than the level of 'plug & pray' we‘ve seen in the early PCI/USB/Win98 era (that only impacted your local device functionality).
> a misconfigured and Internet-facing Elasticsearch database without a password." If this wasn't bad enough, a Kibana web-based app, there to make navigating through the data easier, had no password protection.<p>That's not even really 'exposed in breach', that's just 'exposed'.
IMHO more disturbing than the lack of security is the fact that people will willingly put these products in their house that phone home to a central database.<p>I'm not into the whole IoT thing but if I really had a need to control something from anywhere on the Internet, it would not rely on a centralised third-party service.
>It's unknown if anyone has taken advantage of the vulnerability (yet) and, as of July 1, the database was still accessible with no password protection.<p>And this article had been published today... The database had been closed a day later on July 2.<p>Here the the original report instead of a Forbes article: <a href="https://www.vpnmentor.com/blog/report-orvibo-leak/" rel="nofollow">https://www.vpnmentor.com/blog/report-orvibo-leak/</a>
The Twitter account "internet of shit" tracks these sort of things.<p>Mark my words, eventually the world is going to see some sort of Fukushima scale internet of shit disaster caused by poor security/architecture. I'm not sure what form it will take, maybe mass pwnage of a device as commonplace as Amazon echo or Google home, but it will be bad.
> The information in the database belonged to Orvibo<p>Would things meaningfully become more secure if we had a legal framework under which the information in the database belonged to each consumer? Or would a simple click-through license make that moot?
Does anyone know a decent tutorial or explanation, how to "secure" one's network with IoT devices in it?<p>For instance, all my lights are controlled using IKEA's TRÅDFRI solution. Also, they are integrated into my own HomeAssistant instance (dockerized), which runs on my Unraid machine, which also hosts my data shares. Then we have FireTV's, Echo's, we have a Xiaomi vacuum robot, and so on. The FireTV should be able to access the data shares for playing back movies. Alexa can control our lights, too.<p>I'm still struggeling to find a "one size fits all" solution.
Further details here:<p><a href="https://www.vpnmentor.com/blog/report-orvibo-leak/" rel="nofollow">https://www.vpnmentor.com/blog/report-orvibo-leak/</a><p>Which was posted a few days ago.
Correct me if I'm wrong but isn't vanilla Elasticsearch open and insecure by default? and password/token security features are only available in some paid tier?
How significant is the "two billion records" figure? According to the article, the affected smart-home provider mereley "claims to have more than a million users around the world". So presumably this database contains a lot of redundant information?
People need to stop exposing their Elasticsearch clusters and Kibana to the internet. A lot of these "breaches" lately have been because of this.<p>I hope Elastic makes it more difficult to make your cluster public by default in future versions.
I have never setup Elasticsearch or Kibana mysslf, but is the setup process <i>secure-by-default</i>? i.e. generate a random password or key by default, and then you have to go out of your way to unsecure it?