On Jan 19th I discovered an exposed dataset that contained a massive 1.2 billion records and 1.1 million “Logged in Users”. This is one of the largest datasets I have found in a very long time that contained vast amount of potentially sensitive information. This included user data, connected IoT devices, wifi information, server and configuration settings, and much more. The data appeared to be connected to a smart home thermostat and other IoT devices.
Upon further research there were references to Aprilaire a division of Research Products Corporation. According to their website, Aprilaire is a manufacturer and distributor of indoor air quality products. Its products include air filters, water panels, thermostats, humidifiers, dehumidifiers, air purifiers, ventilators, range hoods, and more. Some of these devices can be connected to the internet and controlled by an application.
The records indicated that this was a Remote Access Server that I can assume allowed connected devices to send data back to Aprilaire. This data was non-encrypted leaving a large amount of user data in plain text to anyone with an internet connection. Aside from the exposed user data there is also a risk that these devices could have been targeted to be used in a Botnet. This discovery highlights the dangers of IoT security and how connected device data is collected and stored.