Insecure database exposes data of 2.4 million Wyze's customers

by Gabriel E. Hall - - 2019-12-30

A mistake by Wyze's employee resulted in three weeks of customer data exposure online

Wyze data leak Smart device maker data breach: millions of customers' data exposed online via the unprotected Elasticsearch database

A data leak was recently announced by smart tech device developer Wyze Labs: according to the official forum post, the records of 2.4 million of the company's customers were exposed online. The data breach occurred due to an employee mistake, which left the Elasticsearch system-based database vulnerable for over three weeks – from December 4 until December 26.

Wyze initially found out about the breach from an IPVM reporter^[1] that published the article about the massive data leak, which was heavily based on a security consulting company Twelve Security^[2] – the firm that found the unprotected database. While the Wyze started the investigation immediately, the co-founder Dongsheng Song denied many claims that were published in the initial article:^[3]

Several of the things that have been reported are not true. We do not send data to Alibaba Cloud. We don’t collect information about bone density and daily protein intake even from the products that are currently in beta testing. We did not have a similar breach 6 months ago.

The data leak was also confirmed by other independent sources, such as security researcher Bob Diachenko – he claimed that the database included 1,807,201,457 records.^[4]

The exposed database was created due to immense growth of Wyze

Seattle-based Wyze is a smart IoT (Internet of Things) device manufacturer that was formed two years ago by former Amazon employees who wanted to provide smart tech to customers at affordable prices. It specializes in making such devices like cameras, locks, bulbs, sensors, and other gadgets. As many users are keen to acquire cheap but high-tech devices, Wyze saw a massive success within sales rates. Unfortunately, this was one of the contributing factors to the data leak.

The database, which used an Elasticsearch system, was not a production one, but it was used by Wyze to store information about its customers. It was created in order to better track user data and measure variables for business purposes and was deemed to be more versatile and easier to use.

The database was initially configured correctly and secured with adequate measures. However, one of the employees who accessed the database on December 4 removed security protocol by mistake, which left it unprotected and accessible to everybody online.

While some reports claim that the incident was a Chinese cyber-espionage case, considering the muddled facts spewed out competitors, it is highly likely a mistake, which previously happened to numerous high-profile firms like Suprema, JustDial, Attunity,^[5] and others.

Only subset data affected – government-issued IDs, financial and login information remains safe

The IPVM report initially claimed that the following information was exposed online:

Usernames and emails
Lists of cameras at home and their nicknames
Cameras' firmware and model
WiFi SSID
API and Alexa Tokens of 24,000 users
Gender, height, weight and other body metrics of the impacted users

However, the forum post shed some more light about the incident on December 27, when D. Song exposed more details that became clear. He said that customer emails, camera nicknames, WiFi SSIDs, device information, some Alexa tokens, and health information was indeed included in the database.

The co-founder said that information like government-issued IDs, financial data, and login passwords was not compromised. Additionally, there was also no evidence to suggest that Android and iOS tokens were affected. Despite that, Wyze forced all of its customers to re-log into their accounts so that new tokens are generated.

As a result of the investigation, Wyze discovered another leaky database and immediately secured it. Just as a previous one, it did not contain any passwords, financial, or other sensitive data of the company's customers. Currently, Wyze is working on generating emails and informing all the affected users.

Wyze claimed it will be improving its security in the future to prevent similar incidents from occurring in the future:

We’ve often heard people say, “You pay for what you get,” assuming Wyze products are less secure because they are less expensive. This is not true. We’ve always taken security very seriously, and we’re devastated that we let our users down like this. This is a clear signal that we need to totally revisit all Wyze security guidelines in all aspects, better communicate those protocols to Wyze employees, and bump up priority for user-requested security features beyond 2-factor authentication.

About the author

Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References

^ John Honovich. Wyze Massive Data Leak. IPVM. The authority on video surveillance .
^ Wyze Essay 1 - Beijing Dragon Network Co Ltd.. Twelve Security. Blog post.
^ Dongsheng Song. [Updated 12-29-19] Data leak 12-26-2019. Wyze. Official forums.
^ Bob Diachenko. As per my records, Wyze had huge Elasticsearch cluster publicly exposed. Twitter. Social Network.
^ Lucia Danes. Leaky AWS S3 buckets disclose sensitive data of Netflix, Ford. 2-spyware. Cybersecurity news and articles.