Two Billion Records Exposed in 'Smart Home' Breach

193 点作者 louisstow将近 6 年前

17 条评论

m34将近 6 年前

(tech) people tend to laugh at me/pull the tinfoil hat card for putting my dlink/iot stuff behind a very restrictive, dedicated, iptables filtered, hostapd based custom network running on my pi zero w that isn’t allowed to talk to the home network or internet at all.As mentioned by others, I guess it really needs severe identity theft/abuse with vital services until people realize that today‘s IoT 'plug & play' is worse than than the level of 'plug & pray' we‘ve seen in the early PCI/USB/Win98 era (that only impacted your local device functionality).

评论 #20354251 未加载

评论 #20353816 未加载

评论 #20353880 未加载

评论 #20354768 未加载

评论 #20355108 未加载

评论 #20355709 未加载

评论 #20354151 未加载

OJFord将近 6 年前

> a misconfigured and Internet-facing Elasticsearch database without a password." If this wasn't bad enough, a Kibana web-based app, there to make navigating through the data easier, had no password protection.That's not even really 'exposed in breach', that's just 'exposed'.

评论 #20353396 未加载

评论 #20353354 未加载

评论 #20355048 未加载

评论 #20353849 未加载

评论 #20359638 未加载

monocasa将近 6 年前

You know what they say: it's the 'S' in 'IoT' that stands for security.

评论 #20353503 未加载

评论 #20356062 未加载

userbinator将近 6 年前

IMHO more disturbing than the lack of security is the fact that people will willingly put these products in their house that phone home to a central database.I'm not into the whole IoT thing but if I really had a need to control something from anywhere on the Internet, it would not rely on a centralised third-party service.

评论 #20353815 未加载

class4behavior将近 6 年前

>It's unknown if anyone has taken advantage of the vulnerability (yet) and, as of July 1, the database was still accessible with no password protection.And this article had been published today... The database had been closed a day later on July 2.Here the the original report instead of a Forbes article: <a href="https://www.vpnmentor.com/blog/report-orvibo-leak/" rel="nofollow">https://www.vpnmentor.com/blog/report-orvibo-leak/</a>

评论 #20353523 未加载

walrus01将近 6 年前

The Twitter account "internet of shit" tracks these sort of things.Mark my words, eventually the world is going to see some sort of Fukushima scale internet of shit disaster caused by poor security/architecture. I'm not sure what form it will take, maybe mass pwnage of a device as commonplace as Amazon echo or Google home, but it will be bad.

评论 #20353370 未加载

评论 #20353474 未加载

评论 #20353330 未加载

评论 #20355622 未加载

评论 #20354523 未加载

Aardappel将近 6 年前

They were trying to expose more than 2 billion records, but had to stop when the record count went to -2 billion.

ridaj将近 6 年前

How do researchers just "come across" these massive data dumps

评论 #20353637 未加载

评论 #20353506 未加载

评论 #20353500 未加载

gumby将近 6 年前

> The information in the database belonged to OrviboWould things meaningfully become more secure if we had a legal framework under which the information in the database belonged to each consumer? Or would a simple click-through license make that moot?

评论 #20356212 未加载

MrGilbert将近 6 年前

Does anyone know a decent tutorial or explanation, how to "secure" one's network with IoT devices in it?For instance, all my lights are controlled using IKEA's TRÅDFRI solution. Also, they are integrated into my own HomeAssistant instance (dockerized), which runs on my Unraid machine, which also hosts my data shares. Then we have FireTV's, Echo's, we have a Xiaomi vacuum robot, and so on. The FireTV should be able to access the data shares for playing back movies. Alexa can control our lights, too.I'm still struggeling to find a "one size fits all" solution.

评论 #20361565 未加载

评论 #20353769 未加载

lysp将近 6 年前

Further details here:<a href="https://www.vpnmentor.com/blog/report-orvibo-leak/" rel="nofollow">https://www.vpnmentor.com/blog/report-orvibo-leak/</a>Which was posted a few days ago.

PedroBatista将近 6 年前

Correct me if I'm wrong but isn't vanilla Elasticsearch open and insecure by default? and password/token security features are only available in some paid tier?

idiliv将近 6 年前

How significant is the "two billion records" figure? According to the article, the affected smart-home provider mereley "claims to have more than a million users around the world". So presumably this database contains a lot of redundant information?

评论 #20353508 未加载

评论 #20353350 未加载

petarb将近 6 年前

People need to stop exposing their Elasticsearch clusters and Kibana to the internet. A lot of these "breaches" lately have been because of this.I hope Elastic makes it more difficult to make your cluster public by default in future versions.

k_sze将近 6 年前

I have never setup Elasticsearch or Kibana mysslf, but is the setup process secure-by-default? i.e. generate a random password or key by default, and then you have to go out of your way to unsecure it?

评论 #20353782 未加载

quickthrower2将近 6 年前

Eerie as I am working on an unsecured ES instance and then I see this. My one is just for playing though. No sensitive data there :-)

评论 #20353781 未加载

lelima将近 6 年前

I wonder what's the worst possible scenario, having access to your home security cameras or more like using the email and password.

评论 #20353351 未加载

评论 #20353353 未加载