Security experts disclosed Wyze data leak

IoT vendor Wyze announced that one of its servers exposed the details of roughly 2.4 million customers.

IoT vendor Wyze announced that details of roughly 2.4 million customers were accidentally exposed online.

The company produces inexpensive smart home products and wireless cameras.

The leak was reported to Wyze on December 26th at around 10:00 AM and the company immediately secured the database and launched an investigation.

The Elastic server was discovered by cyber-security firm Twelve Security, the incident took place on December 4th, when an employee accidentally exposed the database online and remained unsecured until December 26th.

“Today, we are confirming that some Wyze user data was not properly secured and left exposed from December 4th to December 26th.” Wyze co-founder Dongsheng Song wrote in a forum post.

“To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc. We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened.”

The data were contained in an Elasticsearch server database that was set up by Wyze for an internal project.

According to Twelve Security, the exposed data includes:

User name and email of those who purchased cameras and then connected them to their home
24% of the 2.4 million users are in the EST timezone (the rest are scattered across the remaining zones of the US, Great Britain, UAE, Egypt, and parts of Malaysia)
Email of any user they ever shared camera access with such as a family member
List of all cameras in the home, the nicknames for each camera, device model and firmware
WiFi SSID, internal subnet layout, last on time for cameras, last login time from app, last logout time from the app
API Tokens for access to the user account from any iOS or Android device
Alexa Tokens for 24,000 users who have connected Alexa devices to their Wyze camera
Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake, and other health information for a subset of users

Experts from Twelve Security claimed they found API tokens that would have allowed hackers to access Wyze user accounts from any iOS or Android device.

The incident was independently verified by the authors of the blog IPVM that focuses on video surveillance products.

Song pointed out that both Twelve Security and IPVM disclosed the leak without giving the company the time to fix the issue.

“We were first contacted through a support ticket at 9:21 a.m. on December 26 by a reporter at IPVM.com. The article was published almost immediately after (Published to Twitter at 9:35 a.m.). It was published in conjunction with a blog post from a private security company also published on December 26th.” continues Song. “We were made aware of this article at ~10:00 a.m. from a community member who had read the article.”

Song pointed out that several of the things reported by Twelve are not true, for example he denied that Wyze sends data to Alibaba Cloud in China.

Song also added that Wyze only collected health data from 140 users who were beta-testing a new smart scale product, the claims of a massive data collection were fake.

“Wyze was beta testing new hardware and some of this information was in the database. We had this information for about 140 external beta testers. We have never collected bone density and daily protein intake and we wish our scale was that cool.” continues Wyze.

In response to the incident, Wyze log out all Wyze users out of their accounts and unliked all third-party app integrations to generate new tokens.

“we forced all Wyze users to log back into their Wyze account to generate new tokens. We also unlinked all 3rd party integrations which caused users to relink integrations with Alexa, The Google Assistant, and IFTTT to regain functionality of these services. As an additional step, we are taking action to improve camera security which will cause your camera to reboot in the coming days.” concludes Wyze.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – data leak, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.