According to research by Cybernews, the personal information of thousands of Virtavo security camera users may have been exposed. For those who aren’t aware, Virtavo is a security camera manufacturer. The company also offers an iOS app for video streaming and playback called Home V. However, the app has been found to collect excessive personal data and telemetry from iPhone users, which raises privacy and security concerns.
Cybernews research finds exposed data from an app
The Cybernews team discovered that the Home V app was storing 3GB of user information on an open server. That included private info like phone numbers and device identifiers. Since the server was unsecured, it allowed anyone to access that info.
The server had over 8.7 million records, many of which were duplicates, with some unique IDs showing up multiple times. Researchers estimate this could have affected over 100,000 unique users. Many of the affected users seem to be from China, but the server also had data from users worldwide, raising further privacy concerns.
Details of the exposed logs
Exposed logs included device and software information such as app version, device model, and firmware version. The logs also included network information such as IP addresses and connection type. User IDs, including phone numbers, email addresses, and other unique identifiers, were also compromised. Performance metrics such as video playback quality and Wi-Fi signal strength, were included as well. Additionally, the logs contained timestamps, server codes, and time zone data.
The researchers stated, “The data suggests that the application collects extensive information beyond what is necessary for basic functionality, raising concerns about data minimization principles under data protection laws.” The team noted that malicious actors could use this for identity theft, unauthorized device access, and surveillance.
Cause of the exposure
This happened because the company left its Elasticsearch server (data analytics and search engine) unsecured, allowing anyone to access the exposed logs. Those logs monitor app performance and troubleshoot issues. The server updates in real-time, which makes the problem even worse.
Cybernews notified Virtavo on September 18th, 2024, and CNCERT/CC (The National Computer Network Emergency Response Technical Team/Coordination Center of China) on October 9th, 2024. By November 5, 2024, the exposed server was closed. However, there is no confirmation that unauthorized third parties accessed the exposed data before it was secured.
