[Updated 02-13-20] Data leak 12-26-2019

If Wyze cloud services are down, authorized user or not, their Wyze app won’t work any better than yours.

If the authorized user has been setup for bluetooth access and they are within range of the lock, that’s fine, but it doesn’t help with most scenarios I can imagine.

I realize that you can operate the lock manually but to me the appeal of a smart lock is being able to operate it remotely. Without the remote option I’m much better off with a regular electronic lock with a keypad, which is what I have now.

And with the Wyze cloud down, you can’t control your smart devices like plugs, lights, etc… even if you’re home.

I can also envision a scenario in which you unlock the door remotely, then the wyze cloud goes down and now you can’t lock the door remotely so until you get home, your door ends up unlocked all day.

Yeah…no… I think I’ll skip the smart locks for now.

1 Like

Remotely? And I don’t leave keys outside. I currently have a regular electronic lock with a keypad.

I hear you; this is a very real possibility - it’s happened to me before. Fortunately my Wyze cam and door sensors would alert me to someone entering the home.

But I must stress, if the cloud is down, and you are already authorized to access the lock, all you need to do is open the app in bluetooth proximity of the lock. The cloud is not necessary in this particular situation.

You’re right to be cautious. There are risks associated with each and every IoT device you allow into your home. You need to temper due diligence with using device from company’s you trust.

Personally, I would never, repeat NEVER use a Google smart home product in my house. Why? Because Google monetizes every data point it collects about you. But again, this is one humble security guys opinion, and you’re more than entitled to your own.

1 Like

And what happens when the battery on said device dies? You default to using the key. Same thing here will ALL consumer smart locks.

I was showing a family friend how good Wyze products are when I noticed I’ve been logged out. I tried logging back in immediately but it proved abortive. The first thing that came to mind was I’ve been hacked. So I reminded the family not to rely 100% on any technology, and how important it is to play their part in making sure their home is safe. Few minutes later, logged back into Wyze with 2FA code received. Wyze is great product and I will continue to bring my friends onboard! The business world is a rough terrain. Consumers and companies need to protect their interests

1 Like

There are plenty of keyless consumer smart locks. As an example

https://www.kwikset.com/products/detail/obsidian-keyless-electronic-touchscreen-deadbolt?variant=953-obn-15

2 Likes

I agree with your statement …

I have purchased smart plugs that where available way before Wyze introduced theirs which are Alexa compatible.
When this Wyze shutdown occurred my plug that controlled lights and fans still worked in it’s stand alone app and with Alexas voice control.
I’ve bought Wyze plugs and bulbs to tryout but after this I’m not feeling the need to at this point in time…

sign … the newbie.

Referring to the lock I posted above, you can use a 9-volt as a back up battery if the battery pack inside goes dead.

[Add authenticator app(s) for 2 Factor Authentication Add authenticator app(s) for 2 Factor Authentication (2FA) - #42 by rbruceporter

1 Like

If your battery dies, you’re doing it wrong or the lock is poorly designed. My electronic lock starts to warn me well before the battery dies. Like days or even weeks before.

Thank you, kind Wyzer.

I stand corrected. However, I would also avoid such lock, for the explicit purpose that it does not allow for key entry.

Me too! I prefer my locks to have a key as a backup, but I also don’t leave a key under a “rock”.

It looks to me like “Ghost” or John O’Nolan feels like he doesn’t have to give notice due to his claims of info being sent to the Alibaba cloud, and the other “massive” breach of Wyze six months ago. At least that is how I read his blog post.

Well @GuitarMan, you clearly have it all figured out. Of course my smart locks notify me, in advance, of a dying battery.

You seem to have a particular bend here, and it’s clear no thoughtful discussion will change that.

Let me offer this one last piece of advice: if you’re putting all your eggs into a single IoT’s cloud, you’re doing it wrong.

Diversify your providers, and you wouldn’t be so worried about a single point of failure; its called redundancy, like how my Wyze cams and door sensors provide insight to my entryway, even if there’s an issue with my August lock.

Enjoy your day!

EDIT: formatted for readability

1 Like

Redundancy is another way of saying defense in depth and it’s essential to any well thought out approach. Agreed!

1 Like

I’m wondering if this “breach” was nothing more than the output of a credential stuffing attack?

I feel very certain many users reuse passwords and it’s nothing for a bot to be created to “hack” into accounts and the data they get would be exactly what was in the breach.

The fact that the reporters say it was stored on Alibaba Cloud and Wyze says they don’t use them would explain how the information got there. The hackers use Alibaba Cloud as their dumping grounds for credential stuffing attack.

2 Likes

Thank you! Agree completely. Security is more of an “onion” than a “wall”. The best security methods involve multiple layers…

1 Like

I won’t go so far as to say anyone’s particular approach to their connected/smart homes is wrong. What I will offer is my opinion that any device that reaches out to the cloud will cause problems.

In my home I have spent the last 6 months or so removing cloud reliance and only exposing devices of my choosing to services of my choosing while locking out all others.

2 Likes

Eh, I’ll challenge that. I’m in enterprise security, and so I can say - definitely - that sourcing security from a single provider is no security at all.

However, I totally agree with your other points; relying on the cloud will always be problematic; it’s inherent to the technology. EG server down, WAN down, LAN down…are just a few of the ways cloud is problematic.

Kudos on the efforts securing your home!

1 Like

Well, without all the info, we cannot definitely say, but I will tell you it is unlikely.

We’re talking abut back-end database access and permissions. First, the db should not be visible (read: accessible) to anyone via the internet. Further, the credentials associated with your smartphone Wyze app have ZERO to do with db permissions.

That is to say, there are 2+ million end-users. None of those user credentials have any access to any backend database.