A Cybernews research team discovered a huge exposed data server on June 25th. The server contained 3GB of personal information and telemetry from iPhones equipped with an app known as "Home V." According to the log samples, the data is related to the Home V app, which is used to manage Virtavo security cameras.
Elasticsearch, a data analytics and search engine, was exposed by an unsecured server that provided logs containing phone numbers, device identifiers, IP addresses, and firmware versions, among other details about the devices, the network, and the users.
It has been suspected that these logs were diagnostic reports, which were updated in real-time and appear to have been used for performance monitoring or troubleshooting. As a result of the server's malfunction, more than 8.7 million records were left on the server. Several snapshots were duplicates and for some unique identifiers, there was an appearance of up to 50 snapshots at the same time.
In a study, researchers estimated that over 100,000 unique users could be affected, while cybersecurity researchers were able to find an exposed data server that contained 3GB of personal information and was capable of receiving telemetry from iOS devices.
During the summer of 2023, all the information in the world had one thing in common: it was generated by an app called Home V, which managed Virtavo security cameras. These cameras were capable of streaming videos, playing back videos, communicating with each other, receiving motion alerts, etc. However, indoor surveillance cameras are vulnerable to hacking techniques, which can pose significant security risks due to their vulnerability.
Many wireless cameras are pre-configured with usernames such as "admin" and passwords which are easily guessable, such as "admin," "888888," or "123456", which is a common vulnerability.
When cyber attackers try to gain unauthorized access to online cameras by scanning their cameras and attempting to use these standard login details, they exploit these weak credentials. This can be addressed by implementing a password manager, which will generate and store strong, unique passwords to prevent these attacks.
Password security is a significant concern for many people, especially when transmitting unencrypted data.
Even though users can update a camera's password, some devices still transmit this information unencrypted over the internet. Consequently, they may be able to be intercepted by attackers and then used to access the camera if they have the stolen information. It is also possible that the Wi-Fi password is transmitted unencrypted in some cases, further undermining your network's security.
In particular, one of the most severe threats is the possibility of a full camera takeover, in which attackers gain access to the device at the root level.
ith this level of access, attackers can fully control the camera. As a result of such an attack, the surveillance camera can be turned into a tool for further malicious activities if it is tampered with, its settings are altered, and it can even be installed with malware.
To minimize these risks, users must make sure that they take steps to ensure that their security systems are protected by strong passwords, encrypting their data and staying abreast of potential vulnerabilities.
The exposed logs contained a wide range of critical information regarding the user and the device, raising concerns about data security and privacy.
Among other things, the information also contained information regarding the device and software, such as the version of the app, the device model (e.g., iPhone12,5, which corresponds to the iPhone 11 Pro Max), the operating system, the firmware version, as well as details regarding video decoding, including the use of video decoding software such as "VideoTool Box" to decode H.264 files.
As part of the project, information related to the user’s network was collected, including their country code (e.g., CN for China), their IP address which identified the server's physical location, their connection type, such as “cellular,” and information about the network operator and settings.
It was also revealed that the data contained unique user identifiers, such as user accounts linked to phone numbers or email addresses, as well as unique user identifiers (User IDs and UUIDs), and numeric device identifiers, which were all part of the exposed data.
It is also possible to measure performance metrics, such as how fast the video frame is decoded at the beginning of the video stream, which reflects video playback speed, as well as how strong the WiFi signal is, even if the connection type is cellular.
The log entries were also accompanied by timestamps which indicated when they were created, server codes that could identify servers that handled the requests (e.g., "sh" might indicate Shanghai for example), and the time zone offset of the device or server.
As a result of the comprehensive nature of this data, it becomes increasingly evident that users are exposed to a large amount of sensitive information, and robust security measures are essential to protect it.
In general, various data protection laws require businesses to limit data collection through data minimization and purpose limitation – in other words, they must collect only the amount of data necessary to achieve a specific objective.
Additionally, organizations are required to obtain express consent from individuals and to provide transparency on how the data is utilized, otherwise, the exposure of user information could result in non-compliance and legal penalties.
It appears the application collects a considerable amount of information beyond what is actually required to perform the application's basic functions, raising questions about whether data minimization is following data protection laws," the researchers wrote in their report.
