Smart home appliance maker Wyze has responded to what it calls an "alleged" data breach against its production databases by logging all users out of their accounts and has strengthened security for its servers. Customers endured a lengthy reauthentication process as the company responded to a series of reports claiming that the company stored sensitive information about people's security cameras, local networks, and email addresses in exposed databases.
Texas-based Twelve Security, a self-described "boutique" consulting firm, posted the claim of a breach against Wyze's two Elasticsearch databases on Medium yesterday. The unsecured data is said to have come from 2.4 million users. A plurality of them are located on the east coast of the United States, though data was sourced from across the country as well as in the United Kingdom, the United Arab Emirates, Egypt, and parts of Malaysia.
The dataset included any email addresses that have been registered to or shared access to a camera, the models, firmware versions, and assigned names of every cameras in a household, time of devices' last activation, times of users' last login and logout, account login tokens for users' Android and iOS devices, camera access tokens for users' Alexa devices, Wi-Fi SSID, and internal subnet layout. A particular subset of users who gave or have had tracked their height, weight, gender, bone health, and protein intake information may have had those data exposed as well. Twelve Security also noted that there were "clear indications" that data was being trafficked through Alibaba Cloud servers in China.
Video surveillance news blog IPVM followed up with Twelve Security and was able to spot accounts and devices linked to its staff who reviewed Wyze products.
Twelve Security opted not to notify Wyze before going public with its claims on suspicion of either the company's gross negligence or a concentrated espionage effort, based on the alleged Alibaba Cloud link as well as a previous security blunder where Alexa users could view camera feeds from devices they've resold to other people — that vulnerability has since been patched.
In a bulletin on its community forums, Wyze stated that it was notified by IPVM late yesterday morning and has failed to verify a breach. It also denied any association with Alibaba Cloud.
The company said it decided out of caution to adjust access permissions for its databases and wipe all active login tokens — this also cleared users' Alexa, Google Assistant, and IFTTT integrations as well. Customers who employed two-factor authentication complained shortly after the token refresh that their login attempts were denied due to various errors. Wyze updated its bulletin late last night to report it had fixed the 2FA login process.
The Seattle-based Wyze sells smart plugs, lights, security cameras, and the like at prices well below its competition. It's able to do so by turning to vendors for advanced software features — Xnor.ai recently canceled its contract with Wyze to provide its cameras with subject detection — and vesting a number of resources, including manufacturing, in China. While we'd like to see more details come along, Twelve and IPVM's reporting to this point may cast doubt, at the very least, on how Wyze handles its resources.
Wyze's response, new allegations
Wyze has updated its bulletin twice over the weekend.
It explained that an employee managing a new server project had made a "mistake" with data copied over from its main production servers on December 4 and had left that data unsecured until Wyze beefed up security on the 26th. It initially admitted only one database was exposed, then later was notified by a Wyze user of a second database. The company says it is still investigating why that happened and is currently auditing its servers and databases.
The company says the dataset included customer emails, camera nicknames, Wi-Fi SSIDs, Wyze device information, body metrics for a small number of product beta testers, and limited tokens associated with Alexa integrations. To the company's knowledge, the dataset did not contains passwords or government-regulated personal or financial information or API tokens for Android and iOS devices.
Wyze once again denied that it used Alibaba Cloud to handle user data. It also refuted Twelve Security's claims — though it did not mention the security consultancy by name — that it collected bone density and daily protein intake information from any products, including those in beta testing. It also denied having a "similar breach" six months ago, perhaps referring to the Alexa camera viewing issue mentioned above, but that was more of a vulnerability than a breach — for the record, neither are good things.
Affected users should expect an email from the company shortly, notifying them of what data has been compromised. More emails may come as the investigation moves forward. The company has apologized for the oversight.
At the same time, Twelve Security posted a second essay about Wyze on Medium detailing how its U.S. servers weren't secured as well as their Chinese servers were. It challenged Wyze's suggested vulnerability period, claiming instead that the U.S. servers were vulnerable ever since they went online in January. It also claims to have tracked Wyze's data pipeline infrastructure through Alibaba Cloud to be large enough for the company to be able to track live footage from every camera and that Wyze and anyone with knowledge to do so may intercept any one of those feeds. It also noted comments suggesting that the company does have plans to record daily protein intake and bone density information at some point.
The company has yet to respond to Twelve Security's latest claims.