On October 1st, I have found a rather unusual web interface of Heartbeat monitoring service. The open and publicly available instance contained a graph and description which immediately got my attention:
Here you can analyze the results of the full system scan that takes place every hour. It scans every appliance in the homes of our customers.
The scan retrieves the device shadow for each appliance. It can, among other things, determine whether the appliance is online or offline. It records that status over time for each appliance.
Graphs were supported by a MongoDB-sourced data and the database itself was sitting in public on the same IP where Heartbeat instance was hosted. Upon closer investigation, I came to conclusion that data was part of Whirlpool cloud infrastructure and database was used to collect the information from IoT connected home appliances, such as:
- customer email
- SAID number (smart appliance ID) – unique number used to sync a smart device with your appliance
- model name and number
- different attributes of the scanned appliance etc.
Database contained more than 28 Million of records (28,151,181), with information structured as per above.
I have immediately notified Whirlpool security team on the incident and within next 24 hours both database and service instance were pulled offline. Upon internal investigation which took several days, company provided me with the following statement:
Our company was recently made aware of a potential security concern with respect to one of its databases. The database was immediately taken offline and secured. Our investigation showed that 48,000 emails were publicly available – but no confidential information was exposed. We are in the process of reaching out to impacted consumers. Our company appreciated this notification so the issue could be quickly addressed.
While I cannot verify or deny the number of emails compromised in this incident, I was still worried by the fact that smart appliances are scanned on a regular basis to gather emails and other attributions. You can call me old-fashioned but I would prefer to have an Internet-disconnected dishwasher these days.
As we see a never-ending loop of these incidents, we at SecurityDiscovery.com have decided to offer a live educational session (webinar or offline workshop) for raising cyber security awareness within your organization, to prevent potential issues in the future. We use real world examples and promote that data security is important to every employee and at every level inside the organization.
It can be an online webinar session (estimated 1h long), with Q&A session or an offline meeting in your offices, live interaction with your team (master class included).
Proposed content includes:
- Description of tools and techniques we use to identify vulnerabilities, PII and sensitive data online: no hacking, just google-it.
- How to ensure your data / your company’s data is not exposed to the public internet, security tips from professionals
- Recommendations and best practice on main noSQL databases configurations and maintenance (MongoDB, CouchDB, Elasticsearch)
- Case studies: analyzing related data appearance online
- Live search for data and master class
Please feel free to send your requests to alert(at)securitydiscovery.com or bob(at)securitydiscovery.com
Let’s educate your team!