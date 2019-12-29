Loading...

Image: Wyze, ZDNet

Wyze, a company that sells smart devices such as security cameras, smart plugs, smart light bulbs and smart door locks, today confirmed a server leak that exposed the details of approximately 2.4 million customers.

The leak occurred after an internal database was accidentally exposed online, Wyze co-founder Dongsheng Song said in a forum post published at Christmas.

Song said that the exposed database, an Elasticsearch system, was not a production system; however, the server was storing valid user data. The Elasticsearch server, a technology to generate super fast search queries, was created to help the company classify the large amount of user data. The Wyze executive explains:

"To help manage Wyze's extremely fast growth, we recently started a new internal project to find better ways to measure basic business metrics, such as device activations, failed connection rates, etc.

We copy some data from our main production servers and place it in a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a Wyze employee made a mistake on December 4 when they used this database and the previous security protocols for this data were removed. We are still investigating this event to find out why and how this happened."

The leaking server was discovered and documented by the cybersecurity consulting firm Twelve Security and independently verified by IPVM reporters, a blog dedicated to video surveillance products.

Song expressed his dissatisfaction with the way the two parties, Twelve Security and IPVM, handled the disclosure of the data leak, giving Wyze only 14 minutes to solve the leak before making his findings public.

"We were first contacted through a support ticket at 9:21 am on December 26 by an IPVM.com journalist. The article was published almost immediately after (Published on Twitter at 9:35 am). It was published along with a blog post from a private security company also published on December 26. A community member who had read the article informed us of this article at 10:00 am. "

Song confirmed that the leaking server exposed details such as the email addresses that customers used to create Wyze accounts, nicknames that users assigned to their Wyze security cameras, SSID identifiers of the WiFi network and, for 24,000 users, Alexa tokens to connect Wyze devices to Alexa devices.

The Wyze executive denied that the Wyze API tokens were exposed through the server. In their blog post, Twelve Security said they found API tokens that, according to them, would have allowed hackers to access Wyze accounts from any iOS or Android device.

Second, Song also denied Twelve Security's claims that they were sending user data to an Alibaba Cloud server in China.

Third, Song also clarified that Twelve Security states that Wyze was collecting health information. The Wyze executive said they only collected health data from 140 users who were beta testing a new smart scale product.

Song did not deny that Wyze collected information on height, weight and gender. He, however, denied others.

"We have never collected bone density and daily protein intake," said the Wyze executive. "We wish our scale were so great."

For now, the three parties involved in the disclosure of this leak seem to disagree regarding the details of this particular leak. Either way, Wyze said he decided to log off all Wyze users forcibly from his accounts and did not like all third-party application integrations, two steps that will generate new Wyze API tokens and Alexa tokens. once users log back in and re-link Alexa Devices for Wyze accounts.

According to my records, Wyze had a large Elasticsearch cluster publicly exposed. It included 1,807,201,457 records: registration data, API requests and events. https://t.co/RtxDLiqPtC

– Bob Diachenko (@MayhemDayOne) December 28, 2019