[Updated 02-13-20] Data leak 12-26-2019

I can’t decide which upsets me more- the leak or the fact that I’m still waiting for an email notification directly from Wyze. I wouldn’t have known about any of this had it not been for browsing the usual tech sites. Wyze needs to be more transparent on many levels!

2 Likes

Check my post here. It has the screenshots. The link to this forum post was there, but buried.

3 Likes

While I agree with your basic comment , I think it is also naive, the truth of the matter any thing you use to secure your house can be compromised. Each system has its own weakness. A physical lock can be picked, and that means the person has to be physically there to do it, which also means he/she can physically harm you.

The point is anything connected via electronics is compromised, to believe otherwise is naive. Thus it comes down to determining your acceptable risk/reward.

Absolutely agree. Which is why I don’t have smart locks on my doors. If someone wants to pick my locks, they’ll find out what’s on the other side of the door waiting for them.

I won’t help them out by tying my lock into a system that knows I’m gone and unlocks the door for them.

1 Like

Exactly. It’s a jurisdictional issue. With global companies like Google, they don’t need to pursue it extraterritorially because Google has plenty of presence in the EU. They have jurisdictional authority to pursue it in European court and enforce the fines through Google’s EU assets, if necessary.

Hi Robb, Wyze uses Taiwan based P2P service provider ThroughTek who has servers worldwide. 114.67.98.218 was confirmed to be their server in the past. Very likely the other two are theirs as well. I am confirming with them and will update very soon. The TUTK servers in China or other countries are hosted in different cloud provider, including Alibaba cloud. We know TUTK has servers in Canada so traffic to Canadian TUTK server is expected.

[Updated 12/30 8:20pm] Confirmed by TUTK that 47.112.127.239 and 198.16.71.10 are their servers in China and Netherlands.

I will try to explain how the servers work in generic words. To protect their IP, I prefer not to release too much of technical detail of the TUTK network architecture. These server are setup to help your phone finding where your camera is. When your phone tries to connect to your camera, it will first ask one of the servers where your camera is located. After that the phone and camera will try to make a connection within North America (some servers will be involved in the process).

Note: There are some special cases that your camera may still contact these servers once during reboot (e.g. older version of firmware). They are less than 0.5% of the cameras.

7 Likes

I understand that companies are international and have employees worldwide. They also have to follow the laws of various countries, including the US’s crypto and arms export regulations. I will say it is ironic is their Chinese based developers and sysadmins seem a bit more on the ball in terms of best practices in Information security…

Thank you for that explanation

2 Likes

why do you keep saying “not secure” when it says “not properly secured”. there is a difference right?

New blog post, from a user who claims to be representing 12Sec just posted:

https://blog.12security.com/the-red-and-the-black/

They now claim Wyze to be involved in espionage against “American citizens in the United States.”

Crazy - you can’t make this stuff up. Who knows what to believe at this current point.

EDIT: added quote to include words American citizens in

3 Likes

Wow, does anyone have any information on the publisher, 12 Security?

So a couple of simple questions. You say Wifi passwords were exposed. Does that mean we should change our Wifi password?

Just now this afternoon I received an email from WYZE saying “Welcome to WYZE.com!”
saying thank you for for creating an account on WYZE.com I did that a long time ago. Should I be concerned about this email?

No passwords were exposed (alleged or otherwise). Your SSID was exposed (alleged and confirmed).

3 Likes

Well I guess if the espionage that they’re doing is watching me watch college football in my theater with my Wyze camera go for it. I’m not exactly sure what that’s going to do or how that will help China but if they think that that’s espionage that’s going to help them in someway by tracking what college football games I watch by all means do it. :rofl:


maxair32

1m

So a couple of simple questions. You say Wifi passwords were exposed. Does that mean we should change our Wifi password?

Just now this afternoon I received an email from WYZE saying “Welcome to WYZE!”
saying thank you for for creating an account I did that a long time ago. Should I be concerned about this email?

yeah, I’m I’m still confused why they are storing SSID. I don’t understand why
but I’m not worried that somebody has my SSID
you would still have to come to close proximity of my house and crack my password

1 Like

At least he’s confirmed it now. He’s a random dude with a personal vendetta and preconceived notions he can’t prove. From what I can tell, he seems to be operating on, frankly, a xenophobic hunch. If it turns out Wyze is spying for the Chinese government, I guess I’ll have to eat my shoe.

4 Likes

Exactly. And for me personally I live out in the middle of nowhere. So someone would really have to want something that I have and I don’t really have much to come all the way out here to hack into my house. I mean we’re lucky to have Internet because companies view the population so small that why spend $1 million and affect 7000 people when they can go to another town and spend $1 million and affect 70,000 people. We just got upgraded to 50 GB download speeds like a week ago and that was a huge shock so like I said I live way out in the middle of nowhere and on the top of the hill I see you comin before you got here and you’d be in the crosshairs just saying

Can you stop collecting information that isn’t needed or doing in a secure way?

Don’t collect SSID or internal network info. If you must for function, One-way HASH the SSID and save the hash.

And can we stop using phone #s and SMS for 2fa. Use OTP more secure and much more private and no overloaded verification servers.

Can this happen? Please?

I got nothing here.

1 Like