Smart Home Maker SmartMate Leaks Customers Information Drew Wilson | July 7, 2019 Smart home devices are not immune to data leaks. SmartMate devices are vulnerable and had customer passwords exposed. Just two days ago, we reported on insulin pumps being recalled due to an IoT hack vulnerability. While it is scary that medical devices like that are being hacked, it seems that those aren’t the only things close to you that are vulnerable. According to a report on ZDNet, smart home device manufacturer SmartMate is leaking personal information including passwords through a leaky Elasticsearch server: According to a vpnMentor report shared exclusively with ZDNet, in the past two weeks, the database appears to have cycled through at least two billion log entries, with each entry containing data about an Orvibo SmartMate customer. The data for each log entry varied depending on the operation it was being logged, such as logins, password resets, device heartbeat (regular check-in), logouts, and others. Typical data that one can find in these logs included Orvibo customers’ email addresses, the IP addresses of the device checking in, Orvibo usernames, and hashed passwords. In some cases, there was also precise geolocation information, a customer’s family name, the device’s name, and information about the device’s scheduled operations (such as turning lights on at specific hours, or the home alert between specific intervals). All the entries that ZDNet analyzed were in Chinese, but vpnMentor researchers say they’ve also spotted log entries for users in Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil. Data for customers in many other locations is most likely available, although, we have not specifically looked for it to confirm. The security incidences this month have taken a rather creative turn. Earlier this month, we also reported on a keys-to-the-kingdom cloud data leak that exposed TD Bank and Ford Motor Company. This over top of the insulin pump vulnerability mentioned above. One wonders what else we’ll be able to find this month. Drew Wilson on Twitter: @icecube85 and Facebook.