IoT Vendor Wyze Labs Suffers Massive Data Breach

[TacticalSquid]

Maker of the popular, cheap, security cameras (and later other IoT devices) Wyze Labs has suffered a breach of 2.4 million users' information in early December according to a ZDNET Article. This data was copied from internal servers to a new one that would allow information to be more easily searched utilizing something called elasticsearch. This, and another database were left unsecured for nearly a month as a result of an employee mistake (Dec 4) at Wyze and "previous security protocols were removed." Wyze remained unaware of it until a reporter at IPVM contacted them via a support ticket on Dec 26th, 14 minutes before the article was "published to Twitter" alongside the security forms blog post. Twelve Security is the Cyber Security firm who initially discovered and documented the breach.

 

Naturally, there are disagreements between the firm's findings and Wyze as far as what exactly was leaked which purportedly includes:

• User name and email of those who purchased cameras and then connected them to their home
• 24% of the 2.4 million users are in the EST timezone (the rest are scattered across the remaining zones of the US, Great Britain, UAE, Egypt, and parts of Malaysia)
• Email of any user they ever shared camera access with such as a family member
• List of all cameras in the home, the nicknames for each camera, device model and firmware
• WiFi SSID, internal subnet layout, last on time for cameras, last login time from app, last logout time from the app
• API Tokens for access to the user account from any iOS or Android device
• Alexa Tokens for 24,000 users who have connected Alexa devices to their Wyze camera
• Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake, and other health information for a subset of users

Additionally, past concerns have been raised about previous routing of traffic to China which this Reddit Thread Brought Up and saw a response from a Wyze Employee stating that they utilize a streaming service called Throughtek which "has servers all over the world for load balancing" with a followup stating they  "...managed to limit v2 camera traffic within US with our latest firmware"

 

These concerns were raised yet again by the security firm with this current event on their blog stating " there are clear indications that the data is being sent back to the Alibaba Cloud in China, coupled with the fact a "similar breach of Wyze occurred only six months ago"

 

These events aren't what I would call unique, seeing as how even Amazon/Google's IOT divisions have issues with vulnerabilities and further highlights the potential vulnerabilities every device adds to a network. To Wyze's credit, they did appear to act quickly by forcing all users to log back in at 1:29pm (apparently the same day according to the wyze forum post) as well as lock down the initially affected database and presumably the second database found on the 29th in the update. 

 

 

References:

https://www.zdnet.com/article/iot-vendor-wyze-confirms-server-leak/

Security Firm's Blog: https://blog.12security.com/wyze/

IPVM: https://ipvm.com/reports/wyze-leak

Wyze Forum Post: https://forums.wyzecam.com/t/updated-12-29-19-data-leak-12-26-2019/79046

[Rune]

Ah balls, thats unfortunate. Guess those are going in the trash now. Not sure how I didn't hear about the previous one. Only use one for a 3d print cam but thats some stupid security there.

[TetraSky]

More reasons why I just can't bring myself to trust IoT devices... Or really anything "cloud" related even if it's "the future".

If I can't operate it Offline, by myself, on my own network/server/computer, it has no place in my home and I will keep thinking like that until I simply have no other choices.

[TempestCatto]

There are two kinds of tech enthusiasts:

1. The person who must have the latest and greatest
2. The person who has a printer from 1998 and a loaded shotgun next to in incase it tries something funny

 

I'm glad for my shotgun.

[Arika]

well that wasn't very....wise of them

[Salv8 (sam)]

1 hour ago, TetraSky said:

More reasons why I just can't bring myself to trust IoT devices... Or really anything "cloud" related even if it's "the future".

If I can't operate it Offline, by myself, on my own network/server/computer, it has no place in my home and I keep thinking like that until I simply have no other choices.

i still use office 2016! fuck 365! i would rather pay once and get it over with!

the only cloud service i use is the backups that my phone automatically does.

thats it. even then there are other services such as migrate that are much better and allow for offline backups and restores of app data, phone logs, sms crap, the app apks and contacts! (hell i was able to keep my twitter drafts even though i had to sign in to the app again access them! (twitter doesn't sync them across devices, that's something they should add))

[justpoet]

3 hours ago, TetraSky said:

More reasons why I just can't bring myself to trust IoT devices... Or really anything "cloud" related even if it's "the future".

If I can't operate it Offline, by myself, on my own network/server/computer, it has no place in my home and I keep thinking like that until I simply have no other choices.

There will always be non-cloud choices.  The whole world isn't online, as much as tech companies often like to think they are.  There are also a lot of really cool projects, including open source, for enthusiast communities (for example, Raspberry Pi), that can do a lot for cheap as well.

 

I'm with you, that's why I run an isolated network for things, as well as use older versions of many bits of software like Adobe before cloud subscriptions, and I still buy and own CDs instead of downloaded digital copies.

[Flying Sausages]

3 hours ago, TetraSky said:

More reasons why I just can't bring myself to trust IoT devices... Or really anything "cloud" related even if it's "the future".

If I can't operate it Offline, by myself, on my own network/server/computer, it has no place in my home and I keep thinking like that until I simply have no other choices.

Or rather can't trust company security nowadays.

[Taf the Ghost]

6 hours ago, TetraSky said:

More reasons why I just can't bring myself to trust IoT devices... Or really anything "cloud" related even if it's "the future".

If I can't operate it Offline, by myself, on my own network/server/computer, it has no place in my home and I will keep thinking like that until I simply have no other choices.

Home IoT devices are evil. They add massive vulnerability to your home to save fractions of seconds that weren't worth the cost to save in general. 

 

Business IoT has use because the efficiency of the space being monitored is invested in, but you can also invest in the security of that in ways a home user would never be able to.

[WereCatf]

13 hours ago, TacticalSquid said:

Naturally, there are disagreements between the firm's findings and Wyze as far as what exactly was leaked

Translation: Wyze pretends that there are disagreements in an effort to try to downplay how serious the breach was, but in truth everything that was claimed to have been leaked was leaked.

[WereCatf]

10 hours ago, justpoet said:

There will always be non-cloud choices.  The whole world isn't online, as much as tech companies often like to think they are.  There are also a lot of really cool projects, including open source, for enthusiast communities (for example, Raspberry Pi), that can do a lot for cheap as well.

Indeed. I am one of those nerds that are slowly building their own, homebrew home-automation system and sure, it is a lot more work than going with a premade system, but on the other hand, I am fully in control of what goes where and I don't have to give anything Internet-access at all while still having it all fully working.

[pas008]

So changing account password

And changing wifi credentials

Make it safe again?

[williamcll]

Would choosing non-cloud surveillance devices (where you have to set up everything from Hosts to DNS) be more secure?

[Beskamir]

On 12/29/2019 at 6:19 PM, TempestCatto said:

There are two kinds of tech enthusiasts:

1. The person who must have the latest and greatest
2. The person who has a printer from 1998 and a loaded shotgun next to in incase it tries something funny

 

I'm glad for my shotgun.

What if it grabs the shotgun? That's why mine's locked up with the shotgun well out of it's reach.

[TempestCatto]

23 minutes ago, Beskamir said:

What if it grabs the shotgun? That's why mine's locked up with the shotgun well out of it's reach.

I'm sure it's just a joke. But I'll never understand why people lock up their guns. When an intruder comes in, you can't just be like "Oi hold on, mate. Gotta find my keys to unlock the safe. Oop. Hold on, gotta load it real quick. Bah. Where's that box of ammo now? Oh, there it is. Hang on. Just one more minute...oka - oh. All my shit's gone. Right then. Time to put this away again."

 

I carry all the time, even in my own house. Partly because I'm too lazy to de-gun, and partly because I want to always be ready.

 

One could make the argument of kids, I suppose. But that's why secret compartments exist. Like that one that's a header for a bed and you just push in on it and it dispenses a freedom stick.

 

EDIT: I realize now you mean that you have the printer locked up. Not the freedom stick. Oh well.

[Beskamir]

11 hours ago, TempestCatto said:

I'm sure it's just a joke. But I'll never understand why people lock up their guns. When an intruder comes in, you can't just be like "Oi hold on, mate. Gotta find my keys to unlock the safe. Oop. Hold on, gotta load it real quick. Bah. Where's that box of ammo now? Oh, there it is. Hang on. Just one more minute...oka - oh. All my shit's gone. Right then. Time to put this away again."

 

I carry all the time, even in my own house. Partly because I'm too lazy to de-gun, and partly because I want to always be ready.

 

One could make the argument of kids, I suppose. But that's why secret compartments exist. Like that one that's a header for a bed and you just push in on it and it dispenses a freedom stick.

 

EDIT: I realize now you mean that you have the printer locked up. Not the freedom stick. Oh well.

Yeah I was referring to locking up the printer

 

Also I'm in US Lite (Canada) so I don't get to have a freedom stick. Plus if we're on the topic of whether guns should be locked up or not, I'd argue they should since the probability that someone's actually going to break in is tinny but the probability that it gets misused either by you (don't take this personally as I just don't consider anyone above average) or someone else in you home when it's easily accessible is considerably larger and thus I'd say carrying it around all the time or having it accessible is more of a risk than locking it up or keeping it unloaded.