2 Billion Records Exposed In Massive Smart Home Device Breach

Tags: #<Tag:0x00007f3878cbe320> #<Tag:0x00007f3878cbe168> #<Tag:0x00007f3878cbe000>

Another example of why you need to protect your home network that has IOT devices connected to remote servers…

If you use Orvibo products you need to take action.

Creating VLANS to create private networks which limit these type of devices from talking to the outside world should move to the top of your to-do list.

Be Safe!!! :squid:

And the clueless company says they are secure because they closed the barn door after all the horses fled.

While this is good advice, it would have done nothing to protect you from this “data breach”. I put that in quotes because it’s hard to call something a breach when all you have to do is point a browser or a database client at an IP address and ask for the data. They exposed their central database to the Internet without a password.

But that is why setting up vlans and protecting your devices isn’t going to help. If I understand correctly, most of the Orvibo products require access to their cloud servers to use them. So you can’t prevent these devices from talking to the outside world without turning them from smart devices to dumb devices.

If there is a lesson to learn here and any actions to take, it is to not rely upon a third party’s cloud service to control your devices. That will likely significantly narrow your choices, especially in the IP camera area.

Setting of vlans and firewall rules is still a good idea, but that isn’t the lesson to draw from this incident.

2 Likes

You mean the current goals of major businesses are designed for their benefit & not ours?
You don’t say! :roll_eyes::roll_eyes:

1 Like

I would put it in a different way.

Everything we do online is build on a web of trust. Before you give sensitive data to a third party, you need to at least do a minimum amount of effort to determine whether they can be trusted with your data.

When dealing with American or European companies, that trust is reasonably well placed because there are laws and regulations in place that make the consequences of incompetence or negligence in protecting user’s data exist, though they should be much more severe than they are. Companies in other parts of the world do not “suffer” under these sorts of constraints. A massive case of incompetence like this has very little impact beyond a temporary drop in sales, because even corporate customers rarely do their homework on stuff like this.

But note, I’m not saying that any company is trustworthy with your data. They can and will close down services. They can and will brick your devices or a feature of your device that you depend upon. They are also vulnerable to being hacked, incompetence, and neglect despite the consequences.

The only way to protect yourself and your data is to not rely upon these cloud services to control your home automation devices. But there is a problem here because the average joe user is not capable of setting up a home automation system that is wholly local (no cloud services) yet remotely accessible. So each user needs to make a risk/benefit assessment. Is the benefit I get from using the service high enough to assume the risk of trusting that third party with my data.

3 Likes

could not agree more!

That was also the original vision of ssl certificates but it has now turned into “silos of trust” controlled by corporations :frowning:

Agreed.

OH has helped some. I think Home Assistant is attempting to become “easy to use” while neglecting stability & fitness for purpose. The install image they are pushing even requires an Internet conection to reach Google’s NTP servers :angry:

I don’t think that’s ever been an expectation of ssl certificates. The whole PKI model that SSL/TLS is built upon is trusting the Certificate Authority to verify the identity of the user of a certificate it signs. “The CA trusts you so I trust you.” That is necessarily going to centralize the root of that trust in a few hands. Some of those CAs are worthy of the trust, others no so much (I’m looking at you Comodo and Symantec).

I think what might have been unexpected is the tolls the CAs would put in place. It can be expensive to get a cert signed by a CA, especially if you need strong or very strong authentication. But with the rise of Let’s Encrypt, even the cost has been addressed. Now anyone who can prove they own a DNS name can get a cert signed by a trusted CA for free.

But to go back to the point, the identity of all the websites that we go to rely upon our trusting that a third party (i.e. the CAs) have verified the identity of the website for us.

There are other models but they have significant draw backs. For example, PGP could be used which is peer-to-peer. But in this case you are taking on the role of the CA. It is your responsibility to determine the authenticity of the person or service before trusting their certificate. Can you imagine the mess that would be involved if you had to go to the physical office of every major website you use to obtain their certificate so you can manually add it to your trust chain?

BTW, I strongly recommend you doing this with family and friends. Mailvelope is a great browser plugin that even lets you PGP encrypt messages using gmail or other web based mail servers.

As someone who works professionally on closed networks pretty routinely I understand how frustrating that can be. But I do think it’s a reasonable requirement to expect the ability to access the Internet for a home automation system. openHABian requires internet access too because it reaches out to the apt repos to install everything. It doesn’t ship with it’s own .deb packages.

If you would have set up your device within the specified VLAN so that it never registered with the HOME PLANET…you indeed would have been protected because your data would not have been on the server. Too many people today feel comfortable plugging (or connecting via wireless) anything and I do mean anything into their home network without thinking at all about the security implications it could cause…even using cloud based services if you do your homework you can limit access via VLANS or other Firewall rules, or do some research and only allow connections from known addresses/domains…yes it’s time consuming but no where near the time it would take if someone were to get access to your home network…steal banking information…imagine the time needed to recover from that.

True, but then it COULD work off-net. The other forum had some people using a system where there is no Internet access. Network access does not necessarily mean Internet access although recent generations conflate the two, referring to the wireless network as the Internet here at a university.

The VLAN has nothing to do with that. A firewall rule would have. But if you had set a firewall rule that it never registered with the HOME PLANET, then the device would have been non-functional. This approach only works for devices that support local control. My understanding is some to all Orvibo devices are not controllable locally. If you want to use them for home automation you have to use their cloud and therefore have your data in their exposed database.

All of which is good advice. But useless advice if you have a device that requires cloud access to control it (e.g. Nest, Ecobee, Honeywell just to name thermostats).

Having devices on a VLAN protects you from lateral movement of an attacker. For example, someone compromises one of your IP cameras through a built in back door. Now they are on your camera they can move around your network and compromise other devices, spy on your network, potentially steal data, more likely compromise other devices and install cryptominers. A VLAN limits what this attacker can see. That is all.

Special firewall rules on the other hand can block connections from the Internet or block connections from specific devices on your network to the Internet. This works whether you have VLANS set up or not. But, many of these devices may require internet access to work. No firewall settings can give you both protection from having your data gathered by the cloud service and have a working device you can control if the device can only be controlled through the cloud service.

The only way to protect yourself from this is to use devices that can be locally controlled. Then and only then can you block them from the Internet and still be able to use them as a smart device.

This is mixing risks. The breach above had nothing to do with hacking into your local network. There is nothing about this breach that would make that any more or less possible. The breach above is a case of a company gathering lots of information and not protecting it. Your home network is no more or less secure. Orvibo needs to worry about that for sure, but you don’t.

That’s not to say that your LAN isn’t at risk, but it will be from back doors or vulnerabilities in the devices, not a database breach.

When working to protect yourself and your network, it is very important to understand what you are protecting yourself from. “Secure all the Things” will always leave gaps, plus you will spend more effort than necessary and leave you with a false sense of security.

Thus, if you want to protect an attack on your locally controllable devices, configure the firewall so they cannot reach the Internet and the Internet cannot reach them. If you want to protect other devices on your LAN from a compromised device on your LAN, limit how much of your network a compromised device can see. Ideally, devices wouldn’t even be able to see each other, only openHAB. VLANS is one way to do this. If you want to avoid the compromise described in the OP, you must not use devices that require cloud services, and for the devices you do use limit their ability to communicate with the Internet.

You must have locally controllable devices before VLANS or firewall rules can be used. Therefore not using devices that require cloud services is the root mitigation to avoid the compromise in the OP.

They can still DOS the rest of the network. You need real separate networks & routers to limit that.

One way to keep your local devices off the Internet is to use ZWave devices controlled by OH without any intervening hub.
Some hubs phone the information home anyway.

You can do this with VLANS with each having separate addressing…

The"V" stands for virtual. As a kid you may no remember network life before VLANs.

All vlans use the same hardware. Separate networks on separate hardware joined with a router can prevent one network from causing a DOS (denial of service) on the others. With VLANs, one VLAN can have a large traffic load, denying service to other VLANs.

Again, as a security engineer (this is what we are talking about here, security engineering) you need to decide what risks you have (remember risk = likelihood * impact) and based on the severity of the risk determine which ones you will mitigate. The “cost” of the mitigation (time, money, lost opportunity, etc) should be less than the cost of the Risk.

To DOS the whole network would require there to be a hardware vulnerability. While those exist, they are more rare than software vulnerabilities. Thus the likelihood is lower. Is it worth investing in separate hardware instead of VLANS? It depends on the numbers you use in the risk calculation. For most home users the answer would be no, it’s not worth it and VLANS, or a unified LAN is adequate.

@KidSquid, Bruse is right though. There are certain classes of DOS that would impact all the VLANS because they are working at the hardware level.

This stuff is hard. It’s impossible to “secure all the things” so you have to be strategic in what you do secure.

A network loop is an easy way to DOS a network without a hardware vulnerability. Modern enterprise switches have configuration options that can limit the impact though.

I don’t entirely agree with you. No one, OK, very few, at the moment can be trusted with our data. Yahoo, linked in, British Airways, Adobe, Marriot etc.

The only real way is to always use pseudonyms if you have two protect yourself (assuming of course the horse has not bolted)

Trust is a pointless today because you’ve no control or idea what Big Corp Ltd. will do tomorrow which puts your data at risk due to budget issues.

I assumed most have seen this site?
https://haveibeenpwned.com/

It’s a crazy ol’ world out there.

True and you, many times have NO choice. Here is a report on one of my old email addresses. I ahve not knowingly done business or trusted the company that was breached. Apparently, I had no choice.

In this this day and age, remaining completely anonymous on the Internet comes with a cost. That’s not a cost that many are willing to bare.

I assume most have seen https://gizmodo.com/i-cut-google-out-of-my-life-it-screwed-up-everything-1830565500?

Every action or inaction comes at a cost, either financial, time, opportunity costs or all of these. For many, the benefits far outweigh the risks. The most secure computer in the world is one that is embedded in concrete at the bottom of the ocean. It’s also completely unusable. If you want to protect all your data and not share it with anyone, cut the line and go live in the woods. Since that isn’t reasonable for most people then yes, they need to do a minimum amount of effort to determine whether they can trust that service with the data.

Trust is not absolute. I trust Reddit with my one account and it’s unique password. That doesn’t mean I’m going to post my credit card numbers in my account profile. I trust Google to handle my non-sensitive emails (I use PGP for those that are sensitive). That doesn’t mean I save usernames and passwords in a file in my Google Drive.

If you treat all your data that might be gathered by these corporations the same, then the opportunity costs are large. Often the opportunity losses are much larger than the risks to that data.

For a personal example, all my data was stolen in the OPM breach. I could have withheld that information. Of course I would have lost the opportunity to have my present career. That’s an extreme case but illustrative.

And in reference to haveibeenpwned.com, that is just a list of data breaches that have occurred where your email and perhaps a password (usually they are salted and hashed so still reasonably secure even though they have been released). In both cases you will get an alert. And the simple mitigation there is don’t reuse passwords, use a password manager and a unique randomly generated password for each and every website you have an account on. Further mitigation includes turn on 2-factor authentication on all sites that support it. With these two they can have your exact username and password but still not get into your account (if using 2 factor) or at most get into one of your accounts.

I’m not saying you have to trust everyone. But you have to trust some or you have to give up using the Internet entirely. And sometimes that trust needs to go multiple levels deep. For example, how do you know you are using your bank’s website and not some imposter? You trust that the CA who signed the website’s certificate verified the identity of the bank before issuing the certificate. If you don’t trust the CA, you have no way at all to verify that the website is owned by your bank.

If you don’t trust the CA then your only choice is to not use the bank’s website. This comes at a cost (time since you have to go to the bank during working hours to do anything and many backs charge extra to send you your statements on paper). You may not be willing to pay that cost. Others are willing to do so because the benefits out weight the risks.