A security camera streaming app has been caught collecting extensive personal data. Not only that, but it stores logs on an open server accessible to anyone. Thousands of Virtavo security camera users might have been exposed.
On June 25th, the Cybernews research team discovered a huge exposed data server containing 3GB of personal information and telemetry from iPhones with one particular app installed.
Analysis of the log samples suggests that the data is associated with the Home V App, which manages Virtavo security cameras.
The unsecured Elasticsearch server (data analytics and search engine) exposed logs containing user phone numbers, device identifiers, IP addresses, and firmware versions, among other detailed device, network, and user information. The logs appear to be diagnostic reports used for performance monitoring or troubleshooting and were updated in real-time.
The server contained more than 8.7 million records. Many were duplicate snapshots, with some unique identifiers appearing up to 50 times. Researchers estimate that over 100,000 unique users could be affected.
While a significant portion of the user base appears to be from China, the server also collected data from users around the world, raising concerns about data privacy and security.
“The detailed device identifiers, IP addresses, user phone numbers, and other personal information can be exploited by malicious actors for various purposes, including targeted attacks, unauthorized access, identity theft, and surveillance,” the researchers warn.
“Updates in real-time exacerbate the issue, as it allows for continuous collection of fresh data.”
The Cybernews researchers responsibly disclosed the issue to Virtavo and the Chinese CERT (Computer Emergency Response Team), and the Elasticsearch instance is now closed. It's unclear if any other third parties accessed the data. Cybernews reached out to Virtavo for comments but has yet to receive a response.
However, one glaring issue remains: security camera vendors appear to collect extensive personal information and store it on their servers, which might not align with data minimization practices and data protection regulations, such as GDPR or China's Personal Information Protection Law (PIPL).
Virtavo is a security camera manufacturer that also offers a video streaming or playback application for iOS devices called the ‘Home V’ App. It functions as an interactive monitoring solution for the home: streams live videos, allows two-way communication, plays recorded videos, alerts when motion is detected, etc.
What data was collected?
The exposed logs contained several critical pieces of user and device information, as follows:
1. Device and Software Details:
- App Version
- Device Model: e.g. iPhone12,5 (iPhone 11 Pro Max)
- Operating System
- Firmware Version: specific build information
- Video Decoding Information: Using "VideoTool Box" for decoding H.264 format
2. Network Information:
- Country Code: e.g., CN (China)
- IP Address: The manager IP indicates the server location
- Connection Type: Cellular network with "Cellular" as the connection type
- Network Operator and Type
3. User Identifiers:
- User Account: Consists of a phone number or email address
- User ID and UUID: Unique identifiers for each user
- Device ID: A numeric identifier unique to the device
4. Performance Metrics:
- Decode First Frame Delay: Indicates the performance of video playback
- WiFi Strength: Signal strength, even though the connection type is cellular
5. Additional Information:
- Create Time: Timestamps indicating when the log entry was created
- Server Code: Possibly indicates the server handling the request (e.g., "sh" could stand for Shanghai)
- Time Zone: Indicates the time zone offset
“The device identifiers, such as MAC addresses, point to Virtavo as a vendor,” the Cybernews researchers noted.
“This information could potentially help to exploit Virtavo cameras and identify their owners. The exposure of this data highlights significant lapses in data security practices.”
Virtavo security camera users should be aware that exposed detailed logs can be used to exploit vulnerabilities, potentially leading to unauthorized access or attacks on user devices. Leaked user phone numbers and device information can facilitate identity theft and unauthorized surveillance.
IP addresses and location data can be used to track users' physical locations or for geo-targeted attacks.
Various data protection laws usually require businesses to limit data collection through data minimization and the purpose limitation principle – to collect only the data necessary to achieve specific purposes. Organizations are also required to obtain explicit consent from individuals and provide transparency on how the data is used. The exposure of user data may violate data protection laws, leading to non-compliance and legal consequences.
“The data suggests that the application collects extensive information beyond what is necessary for basic functionality, raising concerns about data minimization principles under data protection laws,” the researchers said.
Personal data should be anonymized, encrypted, and locked
The incident highlights the critical importance of securing data storage systems, especially those containing sensitive user information.
“Companies must prioritize data security to protect their users and maintain trust, particularly when operating on an international scale,” the Cybernews researchers said.
They recommend the following mitigation actions:
- Secure the Elasticsearch server: Implement proper security measures, including authentication and access controls, to prevent unauthorized access.
- Data encryption: Encrypt sensitive data both at rest and in transit to protect against unauthorized access.
- Access monitoring: Implement logging and monitoring to detect any unauthorized access attempts and respond promptly.
- Limit data collection: Review the necessity of the data being collected and limit it to only what is essential for app functionality.
- User notification: Inform affected users about the data exposure and provide guidance on how to protect themselves.
- Compliance review: Assess compliance with international data protection regulations and take corrective actions as needed.
- Incident response plan: Develop and implement a robust incident response plan to handle future security incidents effectively.
- Regular security audits: Conduct periodic security assessments and audits to identify and remediate vulnerabilities.
Organizations must also follow data minimization principles, continuously reevaluate the necessity of collecting sensitive information, and only retain data essential for the operation.
“Where possible, anonymize or pseudonymize data to protect user identities. Ensure that users are informed about the data being collected and have provided explicit consent, in compliance with applicable laws,” the researchers said.
Disclosure timeline
- June 25th, 2024: leak discovered.
- September 18th, 2024: initial disclosure email sent to Virtavo.
- October 9th, 2024: disclosure to CNCERT/CC (The National Computer Network Emergency Response Technical Team/Coordination Center of China)
- November 5th, 2024: access to the data was closed.
Your email address will not be published. Required fields are markedmarked