Wyze data leak: Key takeaways from server mistake that exposed information from 2.4M customers – GeekWire

Seattle-area startup Wyze offers low-cost video security cameras and other IoT devices. (Wyze Photo)

Post updated at 6 p.m. on Dec. 29.

Seattle-area startup Wyze, a provider of home video cameras and other Internet of Things (IoT) devices, announced on Dec. 26 that it had been informed of a data leak that reportedly exposed the personal information of 2.4 million of its customers.

The problem arose from a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc., writes Dongsheng Song, Wyze co-founder and chief product officer, in the companys post.

We copied some data from our main production servers and put it into a more flexible database that is easier to query, he explains. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed.

Founded in 2017 by a group of Amazon veterans, Wyze offers a series of low-priced cameras, plugs, bulbs and other smart-home devices. The company, based in Kirkland, Wash., has raised $20 million in venture capital. GeekWire has contacted Wyze for additional comment.

To Wyzes credit, it has been very detailed in describing what happened, when, why, how, and what the company is doing about it.

A post by Twelve Security claimed that the leaked data included the following:

Wyze quoted that list in its original post but added, We dont collect information about bone density and daily protein intake even from the products that are currently in beta testing.

In looking over this event, there are ten key security and privacy takeaways.

Wyze has been upfront about the manner in which it was informed of the leak, with little or no time to mitigate the problem before it was made public. ZDNets Catalin Cimpanu summed up the feelings of many (likely including Wyze) about whether this disclosure was responsible or not.

These are valid and reasonable concerns. As is often the case regarding the disclosure wars, there likely wont be any resolution, but instead a renewed airing of both sides of the argument. Those supporting the disclosure can and will say the information was public for a number of days and holding that information back prolongs the risk. Those against it will say this just wasnt enough time for the vendor to take action. Either way, this situation shows that the disclosure wars will continue so long as theres no collective agreement on how to handle these situations.

One thing to Wyzes credit: they clearly jumped on this fast once it broke. The companys post states: Immediately upon hearing about a potential breach, Wyze mobilized the appropriate developers and executives (CEO and CPO) to address the allegations.

It adds later, This means that all Wyze user accounts were logged out and forced to log in again (as a precaution in case user tokens were compromised as alleged in the blog post). Users will also need to relink integrations with The Google Assistant, Alexa, and IFTTT.

This level of response and these steps are reasonable to address the risks around potentially lost authentication tokens. These are also actions that will impose a burden on users.

Going back to our first point, people can and will argue how much of this response is due to the nature of the disclosure. But these are good, concrete steps, which put security ahead of ease-of-use: Wyze is risking user frustration for better security.

One thing that Wyze isnt doing, however, is forcing password resets on users. While Wyze has said that passwords werent stolen, its often hard to be certain. And if the current situation involving Amazons Ring has taught us anything, its that people are regularly reusing passwords, especially where IoT devices are concerned. Not forcing a password reset is missing an opportunity to be thorough in the response to improve overall customer security.

Ring has been in the news a lot lately for being hacked. As Ive noted, the nature of those hacks boil down to the inherent weakness of relying on passwords. This situation is different because its a leak of data held by Wyze. In fact, it even appears that password information wasnt involved.

In this case, even if youve used two-factor authentication (2FA), you still are at risk from this data breach.

If the Ring situation has reminded us of the risks of password reuse and the overall weakness of passwords as a security measure for IoT, this breach helps show us the risks inherent to losing the kind of data used byIoT and health-related devices in the home.

By their very nature, IoT devices are integrated into our most intimate spaces. Cameras in particular represent a major window into our most protected personal spaces, as weve seen in the reactions to the Ring situation.

Looking at the information thats potentially lost in this breach, we get a more concrete sense of IoT data breaches can mean in real terms.

In particular, Wyze notes that the data loss includes: List of all cameras in the home, nicknames for each camera, device model and firmware. WiFi SSID, internal subnet layout, last on time for cameras, last login time from app, last logout time from app.

This data is troubling because it can give very specific information that can be useful for real-world crime. People regularly name devices in ways that are descriptive for themselves, not expecting them to be publicly known. For example, people might name a camera in a childs room Bettys Room. Information like this can give an attacker information about who is in the house, where they might be and where cameras are going to be placed. All of this can be useful information for people who want to enter the home for malicious purposes.

One thing that Wyze has not recommended, which I would recommend, is that users rename their internal WiFi SSIDs, rename their cameras and potentially reposition those cameras. All these steps can mitigate the risks of that information now being publicly accessible.

Another piece of the exposed data is this: Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake, and other health information for a subset of users.

Wyze goes to some length to point out that this information lost only affects a very small subset of their users, specifically 140 external beta testers. Yes, that is a very small number of people. But the information thats was exposed is very sensitive and very personal health information. Its a reminder of the nature of the data thats being handled by IoT and health devices.

The similarities to the Capital One data breach are striking. In this case, as Wyze says: a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed.

While this isnt exactly the same thing that happened with Capital One, in both cases you have data that was accessible in the cloud without appropriate security protections due to human error. Its also notable that in both cases, auditing and monitoring failed to catch the misconfiguration.

Both of these cases are a reminder that, unfortunately, when things are deployed to the cloud, the risks of exposure and breach are frequently greater. And in terms of IT operations and practice, the controls and countermeasures often arent as robust and mature for cloud deployments as they are for traditional on premises deployments.

For startups, there are two lessons, as well. One is cautionary and the other potentially positive.

First the cautionary tale: speed kills.

Once again, to its credit, Wyze is open about what happened, and theres a very clear message for startups. From the companys posting: To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc. We copied some data from our main production servers and put it into a more flexible database that is easier to query.

Two things happened here that are common for startups. First, the company experienced sudden, fast growth. Second, it moved quickly to address the implications of the growth.

As noted above, it was during this fast move that, at some point, the security that had protected the data was removed by an employee.

Its great that Wyze was able to move fast to address issues related to their fast growth. But this is also a reminder that speed can kill. Mistakes happen when things move fast and theres little checking. This is a risk that all startups face and should be conscious of.

Of course, the speed that can kill you as a startup can also save you. The fast response that we see from Wyze is an example of the speed startups can achieve. Another positive aspect of this speed is shown in the statement that is going to bump up priority for user-requested security features beyond 2-factor authentication.

If we compare and contrast this with Rings response to its current situation, the difference is stark. Ring has made no announcements of any major plans to improve security capabilities in the wake of stories of Ring devices being hacked. By contrast Wyze has committed early and openly to reworking their prioritization of new user-requested security features.

Here too is another lesson for startups: use the speed and agility that being a startup gives you to move quickly to turn disadvantage into advantage.

In its post, Wyze very clearly refuted the claim that it is sending data to Alibabas cloud in China. A question and answer in the post speaks directly to this:

Is there validity to the claim that Wyze is sending user data to China?

Wyze does not use Alibaba Cloud. The claim made in the article that we do is false.

It goes on to note that the company has employees and manufacturers in China, but Wyze does not share user data with any government agencies in China or any other country.

The fact that this claim was made and Wyze feels a need to refute it points to another takeaway: there is an emerging, almost McCarthyite trend lately to imply or allege that tech companies with ties to China are storing data in China and/or sharing data with the Chinese government. Weve seen similar insinuations in regards to TikTok as well.

Partly, this represents the sort of speculation that can fill a vacuum when companies dont provide clear information themselves about where they store their data. A few years ago, people, especially in Europe, were concerned about data being stored in the United States and its possibly being subject to seizure under the Patriot Act. Now, people are concerned about data being stored in China and accessible by the government there.

One thing companies can do to mitigate this concern is to be open about where they store data.

Beyond that, though, there is clearly heightened concern now about data being stored and shared with China, and that concern is manifesting in claims and insinuations about data being stored or shipped there.

The Wyze breach is a serious one. And Wyze deserves credit for doing a lot of things right, quickly, in response. But as we dig into it more, we can see that this situation raises a number of issues around IoT devices, data storage, security and incident response.

We can all learn from this, which is one reason why its so good that the Wyze team has been open and up front about the situation: it helps the industry learn and grow collectively. And because Wyze is a startup, its experience and response has particular lessons for other up-and-coming companies in the IoT space.

Update: Wyze disclosed an additional issue in a Dec. 29 update to its post.

We have been auditing all of our servers and databases since then and have discovered an additional database that was left unprotected. This was not a production database and we can confirm that passwords and personal financial data were not included in this database. We are still working through what additional information was leaked as well as the circumstances that caused that leak.

Weve also clarified our post above to note that Wyze says it doesnt collect information about protein intake or bone density, contrary to a report that said such data was included in the leak.

Read more:
Wyze data leak: Key takeaways from server mistake that exposed information from 2.4M customers - GeekWire

Related Posts

Comments are closed.