Skip to Content
Security & privacy

Billions of records exposed by company that makes smart home devices

Smart home technology has become so commonplace that anyone can have a Jetsons-style home without too much effort. Just pick up any number of smart gadgets, a powerful router, and an Alexa device and PRESTO — you can now control your entire house by voice! It’s one of the coolest parts about living in this day and age, and sure sign that we’re living comfortably in the future.

Not everything about smart homes is rosy, however. Being internet connected, smart home devices are vulnerable to the same threats faced by your desktop PC. Things like malware and cryptomining are real dangers that can lurk behind smart home technology, and thanks to resilient hackers, they’re coming to your doorstep much sooner than you think.

Needless to say, these dangers are already apparent. A recent security hole is affecting smart home products from around the world. Thanks to a flaw in a manufacturer’s database, profiles on millions of customers are now unprotected on the web. These profiles contain personal data like location and passwords, and until the company fixes it, it’s fair game for hackers and criminals!

How were millions of smart home device profiles leaked online?

Orvibo is a China-based manufacturer of smart home devices with a large global presence. The company claims to have more than a million users that have installed its products in homes and offices. What these users may not know, however, is that Orvibo keeps detailed activity logs for its range of products — and this information is stored in an online database with minimal security.

vpnMentor, a cybersecurity research firm, published a recent article alerting Orvibo users about a data leak in the company’s servers. The database used to store consumer profiles is unprotected and open, meaning anyone with the know-how to find this information can see everything from user location, to IP addresses, and even passwords!


Related: Nest is locking you out of your account unless you change your lame password


The products affected consist of nearly all of Orvibo’s offerings, and the database makes no clear effort to conceal the information other than some basic encryption for passwords. Even this encryption is weak compared to more modern methods.

What’s more, account reset codes are easily accessible, making it a simple process for a bad actor to reset a user’s password if they desired.

What can hackers do with my smart home devices?

Using the information on Orvibo’s database, it would be relatively easy to build a complex picture of any given user. The database contains a number of telltale entries like location, username, device ID, and email addresses. So anyone with basic knowledge of the user would be able to identify them with these bits and pieces.

Hackers can do more than just find personal information, however. Since the passwords aren’t deeply encrypted, cracking them is much easier. Once obtained, a password grants administrator privilege to the devices themselves — which can lead hackers to run chaotic pranks or worse on their victims.

Over the internet, a hacker could easily turn off lights or prevent electrical outlets with a smart plug installed from running. They could easily shut off TVs, change what’s playing, or rapidly raise the volume to scare users or create noise complaints.

If the idea of hackers getting into your computer makes your skin crawl, just imagine how much worse it is for hackers to make their way into your home.

How can we protect ourselves from this data breach?

Sadly, as with most Internet of Things enabled devices, there isn’t too much that can be done to protect yourself from misuse of its functions by bad actors. Many of these devices lack a formal interface you can use to secure your data.

In the case of the Orvibo devices, there’s no way to stop the items from logging your activity or storing the data on its servers. Right now, your best defense is to practice general online safety and avoid attracting attention that may lead hackers to target you and your home.


Related: Strange smart home gadgets you have to see to believe


Thankfully, vpnMentor isn’t taking the issue lying down and has repeatedly reached out to Orvibo for comment and clarification. It’s pushing the company to close the breach and protect its users from any further harm.

So far, Orvibo hasn’t responded but by raising awareness of the issue, vpnMentor has done a great service to countless smart home device users around the world.

One can only hope the breach is closed sooner rather than later. As much as we might invest in home security systems and personal self-defense items, there’s no real way to protect yourself against an enemy that’s miles away and can’t be seen. I don’t know about you, but if companies continue to be this careless with their devices, can we even call them “smart devices” anymore?

Stop robocalls once and for all

Robocalls are not only annoying, but they scam Americans out of millions every year. Learn Kim's tricks for stopping them for good in this handy guide.

Get the eBook