Your IoT Product is Now Secure – But Your Privacy is Not

Update: As reported by ZDNet[1], an unknown hacker has defaced 15,000 unprotected Elasticsearch servers. Likely via an automated script. Secure your assets immediately to avoid testing your disaster recovery procedures!

Over the last several years we have grown accustomed to IoT breaches where a fleet of toy Linux boxes are compromised because they were using the default administrative password and then possibly recruited into a giant botnet to wreak DDoS havoc across the globe. Recently, a new class of compromise has emerged that has a broader scope of applicability. Wikipedia has recorded 8 breaches involving Elasticsearch database misconfigurations since November 2018[1].

In these breaches, all the information is available to whoever accesses the URL as a series of key-value pairs (a series of pairs associating keys with values, for example, a “dictionary” type in the language Python). This is not exclusively an IoT issue, but breaches in this class are relevant to any company that has lists of customer information in a collection indexed with something like Elasticsearch. Intruders can do an end-run around your security infrastructure using only the default settings for the search.

VpnMentor’s security researchers found that Orvibo, a maker of home automation and security products, left their Elasticsearch database of 2 billion records on IoT devices open to the world. They also exposed a Kibana tool to make reading the database even easier[2]. The compromised data included poorly hashed passwords and clear text reset codes, device location, User ID, email addresses, schedule information in some cases, and considerable additional information.

The risks of this exposure cannot be overstated. An intruder could use this information to reset and lock customers out of their own accounts. A security device like a smart front door lock could be reset to allow easy entry and to provide directions to the customer’s residence from the locational data. The reputational risk for a company selling IoT security devices is enormous.

What does this mean for your security practices?

First, it appears that the potential for this breach was initially discovered by security researchers and not by actors with malicious intent. (No security audits were conducted to confirm this, however.) While it may be comforting to believe the bad guys are being overwhelmed by an army of shiny cyberwarriors, the business imperative to trim expenses makes it unlikely that robust, expensive, pro-active defense will be enough. Even the most casual survey finds an ocean of database “low hanging fruit” that was exploited before it was found and fixed. Regardless you would be responsible if it were your data as if it had maliciously been exploited.

Second, it is best practice to use some sort of automated service (DivvyCloud, for example, or CloudCustodian for an open-source option) to check that all databases are secure. And buttress your controls with deployments that have the proper countermeasures in place by design.

The system will nevertheless fail sometimes and the solution for that inevitability is to have proper information governance in place at all times. Catalog your information, know it’s location and it’s cost to you if compromised. Ask yourself the question “what is it worth to me to keep my information out of my competitor’s hands?”. This exercise allows you to benchmark your risk mitigation spend before you have an issue. An additional benefit is that at the time of a breach you’ll have a plan that is compliant with the privacy laws that are rapidly being put into place throughout the world, and that include legal requirements for things such as breach notification.

If anything, here resonates with you or just hits a nerve, feel free to contact infoedge and we would be happy to help you find solutions to your problems meeting your business and information security needs.

[1] Wikipedia, Elasticsearch, https://en.wikipedia.org/wiki/Elasticsearch

[2] vpnMentor, https://www.vpnmentor.com/blog/report-orvibo-leak/

[3] vpnMentor, https://www.vpnmentor.com/blog/report-orvibo-leak/