IoT provider Wyze admits data leak

[German]Another addendum from the weekend. The IoT provider Wyze just had to admit a data leak. Nearly 2.4 million user data were stored unprotected on a server on the Internet.


Who is Wyze?

Wyze is a US supplier of 'cheap' smart home devices such as cameras, lamps, locks and the like. The whole thing was founded by former Amazon employees. How the company is connected to China and Alibaba (see the notes here) is still unclear to me. 

(Shop with Wyze products, source:

All these beautiful, new and smart devices naturally need access to the cloud so that the owner can access the data via app. And the owners create an account with access data for this purpose.

The Data Leak

I already became aware of the data leak over the weekend via the following tweet from Catalin Cimpanu


The provider was informed by the security researchers of bout the data leak on an Elasticsearch database server – as can be read on ZDNet – on 26 December 2019 shortly before the publication of a paper. IPVM verified the data, as you can read here. The provider Wyze made the data leak public in a report on 26/27 December 2019.  

On December 26th at around 10:00 AM, we received a report of a data leak. We immediately restricted database access and began an investigation.

Today, we are confirming that some Wyze user data was not properly secured and left exposed from December 4th to December 26th.

The background: In order to cope with Wyze's extremely rapid growth, the supplier recently launched a new internal project. It is about better ways to measure basic business metrics such as device activation, and finding failed connection rates, etc. To do this, the vendor has copied some data from its main production servers and placed it in a more flexible and easily searchable database (Elastic Search Database). This new data table was protected when it was originally created.

However, on December 4, 2019, a Wyze employee made a mistake using this database and the previous security settings for this data were removed. As a result, this data was freely accessible. Wyze writes that the production databases were not accessible, but only the new tables with the extracted data. Although no user passwords or personal and financial information of Wyze users were stored.

But the publicly accessible tables contained customer email addresses, camera names (aliases), WiFi SSIDs, Wyze device information, body metrics for a small number of product beta testers, and limited tokens associated with Alexa integrations. Email addresses of family members who were given access to the cameras were also included. Details can be found here.

The discoverers of the database state, that the sensitive data was all randomly generated outside China. About 24% of the retrievable data related to users in the USA, UK, United Arab Emirates, Egypt and parts of Malaysia. However, Wyze co-founder Dongsheng Song denies that data was transferred to China, to the Alibaba platform. The dirty side of the story: 7 months ago, there was already this news that strangers could access private feeds from Wyze cameras (here are some details). It is said to have been an isolated incident where a camera changed hands and the previous owner was able to continue viewing the data.

All precautionary reset

According to Wyze, there is no evidence that API tokens for iOS and Android have been uncovered. However, the vendor has decided to update all of these access tokens as a precautionary measure. All Wyze users have been forced to re-login to their Wyze account to generate new tokens.

In addition, the provider has removed all 3rd party integrations, which meant that users had to reconnect the integrations with Alexa, The Google Assistant and IFTTT to get the functionality of these services back. As an additional step, the manufacturer plans to take measures to improve camera security, which will cause Wyze cameras to reboot in the next few days.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *