Russian-based video surveillance solution leaked data
Kromtech Security Center researchers discovered a MongoDB instance belonging to iVideon unprotected and open to the public. It appeared to contain iVideon's entire user base; with logins, email addresses, password hashes, server names, domain names, IP addresses, sub accounts, software settings, and payment settings information (we did not see any credit card data) for both individual subscribers and partners.
iVideon allows subscribers to aggregate, access, view over the Internet, and record locally or to iVideon's secure cloud storage, nearly any Internet capable CCTV camera, DVR system, baby monitor, web cam, nanny cam, or even phone, computer, and tablet cameras. It runs on almost any available platform (MacOS, Windows, Linux, IOS, and Android) and is now built into the firmware of many security cameras. It was founded in 2011 and according to russia-today.com had 200,000 users in 2014, at that time including large partners such as Rosneft and Honda. iVideon purports to have over 2,000,000 users today and have added additional partners such as Google, Rostelekom, DHL, and many others. They are now the largest video security company of their kind.
Tables found within the database and the number of records for each:
iVideon responded quickly when notified of their publicly open database and took it down.
iVideon followed up with a response after their investigation:
The server was used for load testing of our auth APIs in Feb 2016. Out testing policy has been revised since then in 2017, so we're confident that security issues of that kind won't happen again.
The DB was populated with accounts & devices of several hundreds of Ivideon users marked for participation in beta-testing (Ivideon employees & external early adopters, mostly from Russia), copied multiple times to simulate some growth scenarios.
User info only included email, IP address and password hashes produced by a strong Bcrypt algorithm. No information related to payments, usage stats or means of getting access to user's private data was present in the compromised DB.
Partner data seen in the DB was real, containing only partner companies' names and UI settings for their apps.
Networking stats for the last year, collected on the router through which the compromised server was connected, show that egress bandwidth usage was very low and constant for the whole time. This makes us believe that the data had not been downloaded in full by anyone. Also, for us it yet again proves that one should not pay ransom for their data, as this is most likely a complete scam.
In view of all of the above, we are confident that none of our users are under any serious threat, and consider that a minor security incident. Ivideon will reach out to non-employee users present in the DB, but it's unlikely that we will make any public statement.
Last but not least, we appreciate Kromtech Security's reaching out to us with their findings. Thanks for helping us in improving our product's security.
We applaud iVideon's rapid response to the issue, they immediately took down that server upon notification and began investigating. We also definitely agree that one should not pay ransom in cases such as this, we've seen that it's nothing but a scam. Their ability to quickly ascertain that only some of the deleted data was real and that aggregate traffic statistics on a router prove to them that it was not stolen will come as a relief to those who had real data in that database. Those users should also be pleased to know that they solved this issue in 2017 so that the data we found this year won't be found again.
The data, however, did not look sanitized to us. From the samples we've seen before database was deleted, password hashes, domain names, email addresses, server addresses, and other entries, all varied and appeared to be legitimate. The number of users in the database also seems to correspond with the number of users which iVideon might likely have had in 2016, if you chart it's growth between 2014 and today.
While we question the security design behind a system which resets it's firewall rules to expose internal development machines after a power-cycle, we do believe their time frame of exposure and that they found little information in their MongoDB logs.
We already know the length of time it takes for an unprotected MongoDB instance to be compromised (see our research on that subject here). Additionally, our researchers noticed that after they discovered and reported it to iVideon, and prior to iVideon taking it down, this database was compromised in the same fashion.
That attack would have left iVideon with little to find in their logs, as their CTO reports. It is interesting to note that the ransom demand for .2 bitcoin had two payments made to it's wallet, we are assuming from iVideon's response above that these came from other victims.
Our takeaway from this is the importance of security at every stage of your development process. It should even be argued that your development network must be one of your most secure networks, for it contains your intellectual property. As we learned from this incident, one never knows when transient firewall rules may inadvertently expose your development machines to the public. In this case, it appears to have only exposed some long lost personal information for an unknown number of iVideon subscribers, but for others it could be critical intellectual property or even your entire subscriber base that could be exposed.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org