Smart Home Device Maker Wyze Exposed Camera DatabaseTechnical Data Plus Emails Made It Possible to Link Cameras to People
Seattle-based smart home device maker Wyze says an error by a developer exposed a database to the internet over a three-week period earlier this month, but the security expert who found the exposure says it lasted much longer.
The data included customer emails, nicknames of online cameras, IP addresses, WiFi SSIDs, device information and Alexa tokens. Also, Wyze says "body metrics" - physical information about beta testers of a forthcoming scale product - were also exposed. However, no personal or financial information was exposed nor user passwords, the company says.
The exposure was found by Dan Ehrlich, who runs an Austin-based computer security consulting firm, Twelve Security. Ehrlich tells ISMG he found two Elasticsearch databases and a MySQL production database exposed to the internet. He believes the MySQL production database may have been exposed for as long as 11 months.
The data included email addresses for 2.88 million users worldwide, about half of whom are in the U.S., as well as a raft of technical data about their deployed Wyze cameras. An "enormous" amount of data appeared to be transferred to China, including to AWS servers there, he says.
Ehrlich says he contacted a managing editor at the Wall Street Journal and asked her if she had three Wyze cameras installed in her home. She did. Ehrlich says she told him she was going to disconnect the cameras.
In another example, Ehrlich says he could see logs for a Los Angeles man's Wyze camera, including an alert that showed to the minute when a package arrived one morning.
The security of IoT cameras has come under scrutiny, especially with rounds of credential stuffing incidents involving Google's Nest cameras and a recent attacks against Amazon's Ring door cameras.
Wyze Chief Product Officer Dongsheng Song writes in a blog post that "we're devastated that we let our users down like this."
"This is a clear signal that we need to totally revisit all Wyze security guidelines in all aspects, better communicate those protocols to Wyze employees, and bump up priority for user-requested security features beyond two-factor authentication," he writes.
Efforts to reach Wyze officials on Sunday, U.S. time, were not immediately successful.
Song writes that the exposure occurred after the company was seeking to optimize queries involving data contained in four production servers. The company put some data into "a more flexible" database, Song writes.
"This new data table was protected when it was originally created," he writes. "However, a mistake was made by a Wyze employee on December 4 when they were using this database and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened."
Song says the new database only contained a subset of data and did not involve production data tables.
Ehrlich says that the exposed data included credentials for 24,500 users who linked their Amazon Alexa to their Wyze device. Also, there was data related to tasks set up using IFTTT - which is an abbreviation for the "if this then that" scripting service - that's enabled by an API. The credentials for administering that connection were exposed, he writes.
As a result, Song writes that Wyze has unlinked all third-party devices, such as Alexas, Google Assistants and IFTTT. It is also forcing all users to log back into their accounts then generate fresh tokens. There was no evidence that API tokens for iOS and Android were affected, but Wyze is refreshing those as well.
Song says some inaccurate information has circulated about the breach. He writes that Wyze doesn't send data to Alibaba's cloud. Also, Wyze doesn't collect information about bone density to daily protein intake, nor did the company have a breach six months ago.
But Wyze acknowledged that the "body metric" data involved 140 beta testers of its new scale. The data leaked included height, weight and gender.
Wyze writes that it didn't have a lot of time to investigate the incident before it became public.
A reporter contacted the company and filed a support ticket on the morning of Dec. 26 and published a story soon afterwards, Wyze writes. Also, Wyze was alerted to Twelve Security's blog post, which went live around that time as well.
In a second, more technical blog post posted on Sunday, Ehrlich writes that it would have been possible for anyone in the world to access live video streams for Wyze cameras that were online.
That is possible two ways, Ehrlich says. The first is by abusing the leaked API tokens. Also, he says the private certificate files - including full copies of the full certificate chains for cameras, including private keys - were stored on the exposed MySQL server.