Huge 1.17 TB information leak exposes billions of data from a Chinese language IoT develop mild firm. Wi-Fi passwords, IP addresses, and gadget IDs are among the many uncovered information. Be taught extra.
A big, unprotected database belonging to Mars Hydro, an organization specializing in IoT develop lights (Web of Issues Develop Lights) and agricultural software program, was found by cybersecurity researcher Jeremiah Fowler.
The database, containing a whopping 2.7 billion data totalling 1.17 terabytes, uncovered a treasure trove of delicate info, together with Wi-Fi community names (SSIDs), passwords, IP addresses, gadget IDs, e mail addresses, and extra.
In keeping with Fowler’s weblog publish for vpnMentor which the corporate shared with Hackread.com forward of publishing on Wednesday twelfth February 2025, throughout the database, folders labelled for logging, monitoring, and error data of IoT units worldwide have been discovered.
Pattern evaluation revealed over 100 million data throughout 13 folders, containing not solely Wi-Fi community names but additionally their corresponding passwords, together with IP addresses and distinctive gadget identifiers. Apparently, the info additionally appeared to hyperlink to the management units, akin to smartphones, used to handle these IoT merchandise, revealing details about working methods (e.g. iOS and Android).
Additional investigation linked the database to LG-LED SOLUTIONS LIMITED, a California-registered firm. API particulars and URLs related to LG-LED SOLUTIONS, Mars Hydro, and Spider Farmer- all concerned within the manufacturing and sale of agricultural develop lights, followers, and cooling systems- have been additionally current within the uncovered information. Quite a few data have been particularly labelled as “Mars-pro-iot-error” or “SF-iot-error,” suggesting a connection to those particular product traces.
Fowler additionally discovered error logs containing doubtlessly delicate info, together with tokens, software variations, gadget varieties, and IP addresses, along with the Wi-Fi credentials.
Following the invention, Fowler promptly notified LG-LED SOLUTIONS and Mars Hydro, resulting in the database being secured inside hours. Mars Hydro, recognized as a Shenzhen, China-based LED develop mild manufacturer with warehouses within the UK, US, and Australia, confirmed to Fowler that the Mars Professional app is their official product.
Nonetheless, questions stay concerning the database’s possession, administration, and the period of its publicity. It’s unclear if the database was managed immediately by LG-LED SOLUTIONS or a third-party contractor. A radical forensic audit could be required to find out the extent of any unauthorized entry, Fowler famous within the weblog publish.
The Mars Professional app and related units have been exposing huge quantities of data. Such lapses can result in misuse, like surveillance, man-in-the-middle assaults, and manipulation. The just lately reported Matrix hacker group is a chief instance of the continued exploitation of uncovered IoT units for DDoS botnets.
Moreover, research point out {that a} vital share of IoT units (57%) are extremely susceptible, with a majority of transmitted information (98%) being unencrypted. To mitigate these dangers, IoT gadget makers and app builders should prioritize information safety, keep away from plain textual content logging, use encryption, safe inside cloud storage, and conduct common safety audits and penetration testing.
.
