{"id":12476,"date":"2019-12-30T13:32:30","date_gmt":"2019-12-30T12:32:30","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=12476"},"modified":"2021-05-21T18:42:44","modified_gmt":"2021-05-21T16:42:44","slug":"iot-anbieter-wyze-gesteht-datenleck-ein","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2019\/12\/30\/iot-anbieter-wyze-gesteht-datenleck-ein\/","title":{"rendered":"IoT provider Wyze admits data leak"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2019\/12\/30\/iot-anbieter-wyze-gesteht-datenleck-ein\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Another addendum from the weekend. The IoT provider Wyze just had to admit a data leak. Nearly 2.4 million user data were stored unprotected on a server on the Internet. <\/p>\n<p><!--more--><\/p>\n<h2>Who is Wyze?<\/h2>\n<p><a href=\"https:\/\/en.wikipedia.org\/wiki\/Wyze_Labs\" target=\"_blank\" rel=\"noopener noreferrer\">Wyze<\/a> is a US supplier of 'cheap' smart home devices such as cameras, lamps, locks and the like. The whole thing was founded by former Amazon employees. How the company is connected to China and Alibaba (see the <a href=\"https:\/\/web.archive.org\/web\/20210401030727\/https:\/\/blog.12security.com\/wyze\/\" target=\"_blank\" rel=\"noopener noreferrer\">notes here<\/a>) is still unclear to me.&nbsp; <\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"Wyze-Produkte\" alt=\"Wyze-Produkte\" src=\"https:\/\/web.archive.org\/web\/20210401030729\/https:\/\/blog.12security.com\/content\/images\/2019\/12\/screencapture-wyze-shop-html-2019-12-26-08_13_21.png\" width=\"621\" height=\"642\"><br \/>(Shop with Wyze products, source: 12security.com))<\/p>\n<p>All these beautiful, new and smart devices naturally need access to the cloud so that the owner can access the data via app. And the owners create an account with access data for this purpose.<\/p>\n<h2>The Data Leak<\/h2>\n<p>I already became aware of the data leak over the weekend via the following tweet from Catalin Cimpanu<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">IoT vendor Wyze confirms server leak<\/p>\n<p>* Data for 2.4m users exposed online<br \/>* Leak lasted 22 days (Dec 4 to Dec 26)<br \/>* Leak source: Elasticsearch<br \/>* Wyze appears to have been notified 9 minutes before the security firm published its findings <a href=\"https:\/\/t.co\/6eyA9ZvVc7\">https:\/\/t.co\/6eyA9ZvVc7<\/a> <a href=\"https:\/\/t.co\/ZzfDBZKxWW\">pic.twitter.com\/ZzfDBZKxWW<\/a><\/p>\n<p>\u2014 Catalin Cimpanu (@campuscodi) <a href=\"https:\/\/twitter.com\/campuscodi\/status\/1211122632843763713?ref_src=twsrc%5Etfw\">December 29, 2019<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/p>\n<p>The provider was <a href=\"https:\/\/web.archive.org\/web\/20210401030727\/https:\/\/blog.12security.com\/wyze\/\" target=\"_blank\" rel=\"noopener noreferrer\">informed<\/a> by the security researchers of <a href=\"https:\/\/web.archive.org\/web\/20210401030727\/https:\/\/blog.12security.com\/wyze\/\" target=\"_blank\" rel=\"noopener noreferrer\">12Security.com<\/a> bout the data leak on an Elasticsearch database server &#8211; as can be <a href=\"https:\/\/www.zdnet.com\/article\/iot-vendor-wyze-confirms-server-leak\/\" target=\"_blank\" rel=\"noopener noreferrer\">read on ZDNet<\/a> &#8211; on 26 December 2019 shortly before the publication of a paper. IPVM verified the data, as you can <a href=\"https:\/\/ipvm.com\/reports\/wyze-leak\" target=\"_blank\" rel=\"noopener noreferrer\">read here<\/a>. The provider Wyze made the data leak public <a href=\"https:\/\/forums.wyzecam.com\/t\/updated-12-29-19-data-leak-12-26-2019\/79046\" target=\"_blank\" rel=\"noopener noreferrer\">in a report<\/a> on 26\/27 December 2019.&nbsp;&nbsp; <\/p>\n<blockquote>\n<p>On December 26th at around 10:00 AM, we received a report of a data leak. We immediately restricted database access and began an investigation.  <\/p>\n<p>Today, we are confirming that some Wyze user data was not properly secured and left exposed from December 4th to December 26th.<\/p>\n<\/blockquote>\n<p>The background: In order to cope with Wyze's extremely rapid growth, the supplier recently launched a new internal project. It is about better ways to measure basic business metrics such as device activation, and finding failed connection rates, etc. To do this, the vendor has copied some data from its main production servers and placed it in a more flexible and easily searchable database (Elastic Search Database). This new data table was protected when it was originally created. <\/p>\n<p>However, on December 4, 2019, a Wyze employee made a mistake using this database and the previous security settings for this data were removed. As a result, this data was freely accessible. Wyze writes that the production databases were not accessible, but only the new tables with the extracted data. Although no user passwords or personal and financial information of Wyze users were stored.  <\/p>\n<p>But the publicly accessible tables contained customer email addresses, camera names (aliases), WiFi SSIDs, Wyze device information, body metrics for a small number of product beta testers, and limited tokens associated with Alexa integrations. Email addresses of family members who were given access to the cameras were also included. Details can be found <a href=\"https:\/\/web.archive.org\/web\/20210401030727\/https:\/\/blog.12security.com\/wyze\/\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.  <\/p>\n<blockquote>\n<p>The discoverers of the database <a href=\"https:\/\/web.archive.org\/web\/20210401030727\/https:\/\/blog.12security.com\/wyze\/\" target=\"_blank\" rel=\"noopener noreferrer\">state<\/a>, that the sensitive data was all randomly generated outside China. About 24% of the retrievable data related to users in the USA, UK, United Arab Emirates, Egypt and parts of Malaysia. However, Wyze co-founder Dongsheng Song denies that data was transferred to China, to the Alibaba platform. The dirty side of the story: 7 months ago, there was already <a href=\"https:\/\/news.ycombinator.com\/item?id=20071090\" target=\"_blank\" rel=\"noopener noreferrer\">this news<\/a> that strangers could access private feeds from Wyze cameras (<a href=\"https:\/\/www.reddit.com\/r\/wyzecam\/comments\/bvis0f\/psa_asking_alexa_to_show_your_wyze_camera_might\/\" target=\"_blank\" rel=\"noopener noreferrer\">here are some details<\/a>). It is said to have been an isolated incident where a camera changed hands and the previous owner was able to continue viewing the data.<\/p>\n<\/blockquote>\n<h2>All precautionary reset<\/h2>\n<p>According to Wyze, there is no evidence that API tokens for iOS and Android have been uncovered. However, the vendor has decided to update all of these access tokens as a precautionary measure. All Wyze users have been forced to re-login to their Wyze account to generate new tokens. <\/p>\n<p>In addition, the provider has removed all 3rd party integrations, which meant that users had to reconnect the integrations with Alexa, The Google Assistant and IFTTT to get the functionality of these services back. As an additional step, the manufacturer plans to take measures to improve camera security, which will cause Wyze cameras to reboot in the next few days. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Another addendum from the weekend. The IoT provider Wyze just had to admit a data leak. Nearly 2.4 million user data were stored unprotected on a server on the Internet.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[1166,69],"class_list":["post-12476","post","type-post","status-publish","format-standard","hentry","category-security","tag-data-leak","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12476","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=12476"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12476\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=12476"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=12476"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=12476"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}