Aprilaire's Smart Home Device Exposed Over 1M Users Online
On Jan 19th I discovered an exposed dataset that contained a massive 1.2 billion records and 1.1 million “Logged in Users”. This is one of the largest datasets I have found in a very long time that contained vast amount of potentially sensitive information. It was clear from the start that this was a logging and monitoring database that should not have been publicly available.
Upon further research there were references to Aprilaire a division of Research Products Corporation. According to their website, Aprilaire is a manufacturer and distributor of indoor air quality products. Its products include air filters, water panels, thermostats, humidifiers, dehumidifiers, air purifiers, ventilators, range hoods, and more. Some of these devices can be connected to the internet and controlled by an application. The records indicated that this was a Remote Access Server that I can assume allowed connected devices to send data back to Aprilaire. This data was non-encrypted leaving a large amount of user data in plain text to anyone with an internet connection.
The danger of connected devices and the internet of things (IOT) is that any security breach could expose user and device data, configuration settings, wifi and IP data online. One of the biggest security issues with IOT devices is that there are no universal security standards and every manufacturer has a different approach to device security. Often there is no patch management or anti-malware update schedule to help protect the device. Then there is the separate issue of where the data is collected and stored.
What Was Exposed:
This was a “Smart Home Device”, it appears to be a wifi connected thermostat and I also saw records that mentioned humidity controller. This could indicate there were other other types of devices exposed but access was closed before I could fully review such a large data collection.
- Total Size: 484.7 GB / Total Docs: 1,253,375,546
- 1,108,423 logged in user details that contained user emails that could be targeted in a phishing campaign.
- The logs exposed device IDs, MacID, time stamps and IP addresses of connected devices. This could be a risk, that the devices could have potentially be hacked or used in a botnet.
- Error logs also exposed vulnerabilities in the network that can be exploited. It also showed where data is stored and a blueprint of how the service operates from the backend.
- Internal logging information such as content management, configuration of the Aprilaire Remote Access Server.
- On another port of the same IP was a remote desktop protocol called “Admin”.
I immediately sent a responsible disclosure notice to Aprilaire and because of the size of the exposure I also called them by phone. The agent I spoke with was unaware of the data exposure and once I gave some details about what kind of data I could see, he asked that I urgently send him more information so he could get a notification to the correct person. Public access to the database was closed shortly after my message.
No one from Aprilaire or Research Products Corporation replied to my notice or reached out to me after my responsible disclosure. It is unclear how long this information was exposed or who else may have had access to the dataset.
Danger of a Botnet Attack
One issue that could affect internet connected devices is that they could be used in a botnet. This is when internet connected devices are used to create a network or digital army that combines devices to work as one and launch a coordinated attack. The most common methods used are Distributed Denial-of-Service (DDoS) attacks, steal or intercept data, send spam emails, and they could even allow remote access to the IOT device and the internet connection.
There is no evidence that the Aprilaire devices were targeted or used in a Botnet. I am only highlighting the potential threat of how this exposed data could have possibly been used or exploited.
There was enough information about the IOT devices and connections that it could have hypothetically allowed cyber criminals to access the remote server, device, or user’s internet connection. For any successful botnet attack the army of bots must be infected with malware and directed to send thousands of requests per second to attack a specific target.
Another use for a botnet is mining cryptocurrency with an army of infected devices. Mining can take a very large amount of CPU and GPU resources but when it is distributed across a million devices it is harder to detect and very effective. Users would never know their connected devices are silently working for cyber criminals. In this method the botnet and IOT devices are used for the purpose of cryptocurrency mining and not a malicious attack.
In 2016 thousands of IP cameras, NAS, and home routers were infected with malware and used to attack GitHub, Twitter, Reddit, Netflix,Airbnb and others. It was called the Mirai bot attack and it showed the world just how vulnerable IOT devices are.
Most devices are not designed to update software or implement security updates and they can be a direct path to the user’s internet connection via the connected device. Once infected the IOT device will act like a zombie as web traffic passes through the device’s internet connection and can be an effective long term attack method.
Exposed Emails and Potential Phishing Attack
The danger of exposed user information is that criminals could launch a targeted phishing campaign. In this case they would have internal information, device data and more that could create a position of trust.
Most social engineering scams start with victims believing they are communicating with a company or individual they have an account with or have done business with before. Once the criminal has gained their trust they ask for payment information or other sensitive data. I am not implying that anyone has targeted Aprilaire’s customers, but only highlighting the real risks of how this data could be exploited.
There was enough internal information to assume ownership of the database and once I reported it to Aprilaire they acted fast and professionally to close public access. As a legitimate security researcher I never circumvent password or security protections and it is often a race against time to find the owner and notify them before the data is wiped out by ransomware or stolen by cyber criminals. Our goal was to protect the data and help secure access as soon as possible. This data was publicly available to anyone with an internet connection.
Companies can do more when it comes to how they manage communication channels and data incident reporting. Far too often I see that employee contacts are hidden and there is nothing but customer support or generic email addresses. This may be convenient to avoid marketing and sales calls, but it slows the incident response time and increases the risks of a worse case scenario. Having an incident response plan and proper communication channels is a necessity and it is not “if” there will be a data incident it is a question of “when” there will be a data incident.
This is a wakeup call for any company or organization that collects or stores data of connected IOT devices or user information online. This is also yet another reminder of the serious need for strong IOT and connected device security.