ADVERTISEMENT

Virtavo security camera users beware: app data spilled online

A security camera streaming app has been caught collecting extensive personal data. Not only that, but it stores logs on an open server accessible to anyone. Thousands of Virtavo security camera users might have been exposed.

Virtavo app leaking data

Image by Cybernews.

Ernestas Naprys
Ernestas Naprys Senior Journalist
Dec 17, 2024 Updated: 17 December 2024 3 min read

What data was collected?

  • App Version
  • Device Model: e.g. iPhone12,5 (iPhone 11 Pro Max)
  • Operating System
  • Firmware Version: specific build information
  • Video Decoding Information: Using "VideoTool Box" for decoding H.264 format
  • Country Code: e.g., CN (China)
  • IP Address: The manager IP indicates the server location
  • Connection Type: Cellular network with "Cellular" as the connection type
  • Network Operator and Type
  • User Account: Consists of a phone number or email address
  • User ID and UUID: Unique identifiers for each user
  • Device ID: A numeric identifier unique to the device
ADVERTISEMENT
  • Decode First Frame Delay: Indicates the performance of video playback
  • WiFi Strength: Signal strength, even though the connection type is cellular
  • Create Time: Timestamps indicating when the log entry was created
  • Server Code: Possibly indicates the server handling the request (e.g., "sh" could stand for Shanghai)
  • Time Zone: Indicates the time zone offset
leaked-data-virtavo
Ernestas Naprys Stefanie Paulina Okunyte vilius
Don’t miss our latest stories on Google News
Add us as your Preferred Source on Google.

Personal data should be anonymized, encrypted, and locked

  • Secure the Elasticsearch server: Implement proper security measures, including authentication and access controls, to prevent unauthorized access.
  • Data encryption: Encrypt sensitive data both at rest and in transit to protect against unauthorized access.
  • Access monitoring: Implement logging and monitoring to detect any unauthorized access attempts and respond promptly.
  • Limit data collection: Review the necessity of the data being collected and limit it to only what is essential for app functionality.
  • User notification: Inform affected users about the data exposure and provide guidance on how to protect themselves.
  • Compliance review: Assess compliance with international data protection regulations and take corrective actions as needed.
  • Incident response plan: Develop and implement a robust incident response plan to handle future security incidents effectively.
  • Regular security audits: Conduct periodic security assessments and audits to identify and remediate vulnerabilities.

Disclosure timeline

  • June 25th, 2024: leak discovered.
  • September 18th, 2024: initial disclosure email sent to Virtavo.
  • October 9th, 2024: disclosure to CNCERT/CC (The National Computer Network Emergency Response Technical Team/Coordination Center of China)
  • November 5th, 2024: access to the data was closed.
ADVERTISEMENT