[Updated 02-13-20] Data leak 12-26-2019

I’m guessing the average user updates their firmware once every blue moon, lol…it’s similar to when I’m looking at the wifes phone cuz she’s having a issue, and there’s 50+ updates pending in the app store.

Very true, users are their own worst enemy. The same users that are outraged when a breach is not reported and acknowledged immediately have a dozen major updates waiting to be applied.

It’s a case of overcoming inertia and of course an inherent distrust of updates considering how many of those have been bungled. (I am looking at you Microsoft).

So on one hand we have the “if it ain’t broke don’t fix it group” and on the other the cyber warriors that say “apply every update no more than 2 microseconds after its available”. I am a lot closer to the 2nd group than the first but I do like to sometimes wait a day or two and see the smoke rising from the ones that did not wait and crashed and burned.

Percentage wise you can make a case that Wyze it right up there with, if not ahead, of M$. I know I don’t install their (Wyze) updates any more until there’s significant feedback from others that it actually works as intended. (Went for too long a period where I had to choose between using my cameras or using my plugs because the app would only work with one or the other - that’s never happened with any of my M$ ‘products’.)

1 Like

I trust you are correct. I personally have never had an issue with plugs or cameras and I have installed every update including beta updates. Are you iOS or Android? I think that Wyze has had many more issues with Android. But honestly I blame that as much on Android as Wyze.

Either way I do agree that Wyze has had its share and then some with issues following app or firmware updates. I know I have used or programmed on Microsoft since MS-DOS days. And the number of times “updates” from Microsoft have totally borked a machine are too numerous to count. Right up to a month ago with a Windows 10 update that left some users in a boot loop. :wink:

Hey, folks!

Looks like things went a bit sideways a couple of times recently. I think that Loki got things back on track effectively so I’m not going to dive into that any further (though I admittedly did enjoy the attic discussion even though this was not the best place for it :slight_smile: ).

A few people have asked for this thread to be closed. We’re still planning to update it later when the 3rd party actions have been concluded or if there’s something new to report so we’re leaving this open but also keeping an eye on things. Thank you for your feedback!

7 Likes

I’ll just leave this here:

Some interesting points:

  • 250 million entries from an internal customer support database.
  • The data was exposed between December 5 and December 31.
  • The database consisted of a cluster of five Elasticsearch servers.
  • Fixed Dec 31, Microsoft informed users Jan 22

I bet Microsoft wishes they had engaged a security firm to audit their systems. /s

3 Likes

That’s interesting because people jumped all over Waze for having a separate database. Wyze was honest when they said that companies do it because it’s cheaper. I believe that was their answer. Nonetheless Wyze handled it much better than Microsoft and it was a fraction of the amount of people. Actually why I did not get real worked up about it happens all the time. Nothing is safe.

2 Likes

Wyze used Elasticsearch not because it’s cheaper; it’s because it’s good for adhoc db queries. Probably the same reason M$ did the same. M$ has their own SQL Server and Azure and they used another company’s db software instead.

1 Like

Update 02-13-20

Thank you all for your patience. We have been working diligently to make progress on security improvements. At Wyze, we take data protection, and our customers’ trust in us to protect their data, very seriously. We appreciate your efforts to ensure consumer security and we share your commitment to data privacy and security.

Please note the status of these action items we have addressed:

Action Item Status Update/Note
Initial cyber investigation Completed We have completed the initial investigation on how the leak happened and have taken internal measures to secure our servers and databases. We have confirmed the leak contained no passwords, government-regulated personal, or financial information, or video files.
Revisiting security settings for each Wyze server Completed We have completed the investigation on how the leak happened and have taken internal measures to secure our servers and databases.
Reviewing our internal security policies and practices Completed We have added operational measures following our initial investigation. This will be an ongoing effort.
Improving security processes, data security, tools, and training across Wyze Completed Implemented security processes like Single Sign-On onboarding and additional steps highlighted through our initial security investigations. This will be an ongoing effort.
Submission method for vulnerability reports Completed We have added a submission tool for collecting reports of security vulnerabilities through our website at: Report Suspicious Activities – Wyze.
Security assessments and audits by 3rd party security company In-Progress We have completed our internal data security checks and have selected an independent company to conduct the audit for validating our security and privacy environments.
Penetration tests by independent security companies In-Progress We have selected an independent company to conduct authorized penetration tests. These tests use simulated cyber attacks to evaluate the effectiveness of our security system.
Adding the ability to change account email addresses In-Progress Feature development is currently in requirements phase, we are working on scoping and development between app and cloud developers and data architects.
Other methods for multi-factor authentication besides SMS (including an authenticator app) In-Progress Feature development is currently in the design phase. We are now implementing the authenticator app method as part of future app release.
Multi-factor authentication to Wyze websites In-Progress Feature development is currently in the design phase. We will implement the authenticator method as part of future web updates.

We’ll continue to post updates and keep you informed on progress made.

30 Likes

Totally awesome debrief here. Happy to hear about the additional policies/procedures that will help prevent similar incident in the future!

Way to go Wyze!

2 Likes

@UserCustomerGwen - The “Initial cyber investigation” details are lacking significant details about what WAS exposed, and the ramifications of that. For instance, keys that were exposed in the open logs which may have been used to open camera streams without detention.

You’re stating obvious things that weren’t compromised with the expectation that the general masses will be appeased and no longer be concerned about your significant data breach, but you’re not addressing exactly what was compromised, which is extremely important if you’re actually being “transparent” and not dancing around the facts to quell fears.

4 Likes

Speaking specifically about keys, it doesn’t matter anymore since they de-auth’d all accounts and keys…

2 Likes

That’s your opinion, and you’re entitled to it.

For the rest of us that are concerned about our privacy, both in the past and in the future, it’s extremely important even today.

You may be OK with being watched and recorded in the privacy of your home, but the tens of thousands of people that have cameras inside their homes with the expectation of privacy - we are not OK with the lack of details and demand answers on who accessed our cameras without detection and when.

4 Likes

Actually exactly what was exposed has been clearly articulated numerous times. The ramifications of each element have been discussed at great length here, on Facebook, and Reddit among I am sure others.

6 Likes

If you would like, you can read the complete list of updates in the original post in this topic. We’ve been updating it with each update we provide to make it easier for folks to catch up if they are new to the thread.

We proactively reset the access tokens for cameras and accounts but these were not included in the data leak. Email addresses were included but financial information and such was not. There were no user passwords available in this data leak either.

9 Likes

“Our investigation is still in process but we have confirmed the information contained … some Alexa integration tokens.”

Having access to these tokens before they were reset by Wyze would have allowed bad actors access to camera feeds. This was proven by those that brought the data breach to light, and further, there were more tokens than just Alexa available and proven with screenshots of the data from the exposed logs. This is something that Wyze has not acknowledged.

The fact that bad actors could have viewed private camera feeds has been completely ignored in every single Wyze “update”, and continues to be downplayed by Wyze by pushing the less-critical information portions of the leak.

3 Likes

Again, everything that was exposed has been very thoroughly discussed. Some of the accounts and data ‘snapshots’ are questionable. This has also been very heavily discussed and debated.

You are of course welcome to your own opinion and interpretation. But the exact scenario you just described as “ignored” was discussed extensively here and on Reddit.

3 Likes

By us, not Wyze… The literal point of my comments. I rest my case.

4 Likes

Uh, two of the participants are Wyze employees? Guess that case is resting a little uneasily?

4 Likes