[Updated 02-13-20] Data leak 12-26-2019

Wyze used Elasticsearch not because it’s cheaper; it’s because it’s good for adhoc db queries. Probably the same reason M$ did the same. M$ has their own SQL Server and Azure and they used another company’s db software instead.

1 Like

Update 02-13-20

Thank you all for your patience. We have been working diligently to make progress on security improvements. At Wyze, we take data protection, and our customers’ trust in us to protect their data, very seriously. We appreciate your efforts to ensure consumer security and we share your commitment to data privacy and security.

Please note the status of these action items we have addressed:

Action Item Status Update/Note
Initial cyber investigation Completed We have completed the initial investigation on how the leak happened and have taken internal measures to secure our servers and databases. We have confirmed the leak contained no passwords, government-regulated personal, or financial information, or video files.
Revisiting security settings for each Wyze server Completed We have completed the investigation on how the leak happened and have taken internal measures to secure our servers and databases.
Reviewing our internal security policies and practices Completed We have added operational measures following our initial investigation. This will be an ongoing effort.
Improving security processes, data security, tools, and training across Wyze Completed Implemented security processes like Single Sign-On onboarding and additional steps highlighted through our initial security investigations. This will be an ongoing effort.
Submission method for vulnerability reports Completed We have added a submission tool for collecting reports of security vulnerabilities through our website at: Report Suspicious Activities – Wyze.
Security assessments and audits by 3rd party security company In-Progress We have completed our internal data security checks and have selected an independent company to conduct the audit for validating our security and privacy environments.
Penetration tests by independent security companies In-Progress We have selected an independent company to conduct authorized penetration tests. These tests use simulated cyber attacks to evaluate the effectiveness of our security system.
Adding the ability to change account email addresses In-Progress Feature development is currently in requirements phase, we are working on scoping and development between app and cloud developers and data architects.
Other methods for multi-factor authentication besides SMS (including an authenticator app) In-Progress Feature development is currently in the design phase. We are now implementing the authenticator app method as part of future app release.
Multi-factor authentication to Wyze websites In-Progress Feature development is currently in the design phase. We will implement the authenticator method as part of future web updates.

We’ll continue to post updates and keep you informed on progress made.

30 Likes

Totally awesome debrief here. Happy to hear about the additional policies/procedures that will help prevent similar incident in the future!

Way to go Wyze!

2 Likes

@WyzeGwendolyn - The “Initial cyber investigation” details are lacking significant details about what WAS exposed, and the ramifications of that. For instance, keys that were exposed in the open logs which may have been used to open camera streams without detention.

You’re stating obvious things that weren’t compromised with the expectation that the general masses will be appeased and no longer be concerned about your significant data breach, but you’re not addressing exactly what was compromised, which is extremely important if you’re actually being “transparent” and not dancing around the facts to quell fears.

4 Likes

Speaking specifically about keys, it doesn’t matter anymore since they de-auth’d all accounts and keys…

2 Likes

That’s your opinion, and you’re entitled to it.

For the rest of us that are concerned about our privacy, both in the past and in the future, it’s extremely important even today.

You may be OK with being watched and recorded in the privacy of your home, but the tens of thousands of people that have cameras inside their homes with the expectation of privacy - we are not OK with the lack of details and demand answers on who accessed our cameras without detection and when.

4 Likes

Actually exactly what was exposed has been clearly articulated numerous times. The ramifications of each element have been discussed at great length here, on Facebook, and Reddit among I am sure others.

6 Likes

If you would like, you can read the complete list of updates in the original post in this topic. We’ve been updating it with each update we provide to make it easier for folks to catch up if they are new to the thread.

We proactively reset the access tokens for cameras and accounts but these were not included in the data leak. Email addresses were included but financial information and such was not. There were no user passwords available in this data leak either.

9 Likes

“Our investigation is still in process but we have confirmed the information contained … some Alexa integration tokens.”

Having access to these tokens before they were reset by Wyze would have allowed bad actors access to camera feeds. This was proven by those that brought the data breach to light, and further, there were more tokens than just Alexa available and proven with screenshots of the data from the exposed logs. This is something that Wyze has not acknowledged.

The fact that bad actors could have viewed private camera feeds has been completely ignored in every single Wyze “update”, and continues to be downplayed by Wyze by pushing the less-critical information portions of the leak.

3 Likes

Again, everything that was exposed has been very thoroughly discussed. Some of the accounts and data ‘snapshots’ are questionable. This has also been very heavily discussed and debated.

You are of course welcome to your own opinion and interpretation. But the exact scenario you just described as “ignored” was discussed extensively here and on Reddit.

3 Likes

By us, not Wyze… The literal point of my comments. I rest my case.

4 Likes

Uh, two of the participants are Wyze employees? Guess that case is resting a little uneasily?

4 Likes

Wyze is literally responding to your rants. Right now.

2 Likes

Please add a mechanism to send email to the account owner when an unrecognized device signs in. And please add a mechanism to list recognized devices and to revoke authorization tokens. It is annoying that Netflix has tighter access controls than Wyze does for private video streams.

4 Likes

Welcome to the community, @jamesdlin. You might be interested in this #wishlist topic.

Search Wishlist (enter your search word/s after #wishlist in the search box)
Search Roadmap (enter your search word/s after #roadmap in the search box)

Please read through How to Use the Wishlist and How to Read the Roadmap.

8 Likes

There are two security focused steps that Wyze can and should take. Both have been discussed above but I don’t recall any official response from Wyze. And both are glaringly missing from recent updates. Perhaps I missed them?

  1. A notification to the primary account of login attempts be they successful or unsuccessful.

Unsuccessful attempts should be limited to prevent brute force attacks. Perhaps a log accessible to the primary account owner?

It should not be an in app feature. Out of band only. This avoids cases where a DOS attack leaves your account locked.

  1. An authorized device list showing all devices/services that are logged into your Wyze account.

Should include the ability to individually or wholesale log devices/services out of your account and require them to re-login.

These are fairly standard abilities present in most iOT devices. Good examples are Ring, Google, and Amazon.

5 Likes

I think I’ve just been violated by Wyze. They’ve been stealing personal information from my phone, in addition to “person” log events. The wireless data generated in the last 30 days is currently at a whopping 45 gig, which is unprecedented for me as I normally average about 2 gigs a month. I just uninstalled their software altogether. They’ve lost my trust and a good customer.

Have you contacted support about this, using that much data is something that should be looked into.

WYZE Support

Live support is available:

+1-206-339-9646

Monday - Friday 5 am - 6 pm PT

Saturday 8 am - 4 pm PT

4 Likes

Agree with @WyzeJasonJ on contacting Wyze - something ain’t right!

Just for discussion, any more details?

How many cams? About how many motion events per day?

Were any of them left streaming an HD live feed across the internet to a different location for really long periods of time? (on purpose or by accident)

How many people at remote locations could or would be viewing the live feed(s) and/or reviewing any continuously recorded footage on the SD cards?

It sounds like you were using the stock Wyze firmware + app, and not doing something like a continuous RTSP feed to Blue Iris, etc at a remote location, correct?