SoylentNews is people
SoylentNews
Submission Preview
Wyze Exposes User Data Via Unsecured ElasticSearch Cluster
████ # This file was generated by upstart! Edit at your own risk. ████
Wyze Exposes User Data via Unsecured ElasticSearch Cluster [bleepingcomputer.com]:
Image: Wyze, BleepingComputer
Smart home tech maker Wyze Labs confirmed that the user data of over 2.4 million of its users were exposed by an unsecured database connected to an Elasticsearch cluster for over three weeks, from December 4 to December 26.
The company discovered the incident after receiving an inquiry from an IPVM reporter via a "support ticket at 9:21 a.m. on December 26," immediately followed by IPVM publishing [ipvm.com] a piece "at 9:35 a.m" covering the exposed database discovered by security consulting firm Twelve Security [12security.com].
However, as Dongsheng Song, Wyze's Co-Founder and Chief Product Officer said [wyzecam.com] in a blog post, some of the reported information wasn't accurate.
"We do not send data to Alibaba Cloud. We don’t collect information about bone density and daily protein intake even from the products that are currently in beta testing," he said in response to Twelve Security's disclosure and IPVM's story. "We did not have a similar breach 6 months ago."
This one impacting @WyzeCam [twitter.com] looks pretty serious. Original public disclosure (which looks like it may have been made prematurely) is here: https://t.co/2WKp7siSSi [t.co]https://t.co/cnfixxFuTP [t.co]
— Troy Hunt (@troyhunt) December 27, 2019 [twitter.com]
Improperly secured database
The unsecured data was a copy of the company's production database containing a subset of all its users' info and it was created by Wyze to "measure basic business metrics like device activations, failed connection rates" by querying the number of connected devices, connectivity errors, and more.
"Queries such as these are expensive in terms of computer resources and they would have impacted your product experience significantly," Song explained. "For that reason, we created a separate database specifically for processing those heavier requests."
While the exposed database was initially properly configured to protect Wyze's customers, an employee mistakenly removed the security protocols while using it on December 4th.
"We locked down the database in question before we were able to verify it was exposed," Song added. "We did this as a precaution because the published article referenced a database connected to 'Elasticsearch': a search tool that we also used on our query database."
The information that Wyze had an exposed Elasticsearch cluster was also confirmed by Security Discovery researcher Bob Diachenko [twitter.com] who said that the connected database contained 1,807,201,457 records including log data, API requests, and events.
As per my records, Wyze had huge Elasticsearch cluster publicly exposed. It included 1,807,201,457 records: log data, API requests and events. https://t.co/RtxDLiqPtC [t.co]
— Bob Diachenko (@MayhemDayOne) December 28, 2019 [twitter.com]
Exposed Wyze user information
The Wyze CPO confirmed some of the info related to the exposed information published by Twelve Security's December 26 report.
He stated that the unsecured database did contain customer emails and camera nicknames, WiFi SSIDs, Wyze device info, roughly 24,000 tokens associated with Alexa integrations, as well as body metrics including height, weight, gender, and other health info for a small number of product beta testers.
Wyze had the health info of 140 external beta testers stored within the exposed database as part of a limited new hardware beta test.
However, Song added that the database "did not contain user passwords or government-regulated personal or financial information," contradicting the info provided by Twelve Security in its report.
Additionally, Wyze's co-founder also said that "there is no evidence that API tokens for iOS and Android were exposed, but we decided to refresh them as we started our investigation as a precautionary measure."
now. If you are still having trouble logging into your app, please contact our customer support team. https://t.co/WaD9R22ToG [t.co]
— Wyze (@WyzeCam) December 27, 2019 [twitter.com]
Regarding the impact of this security incident, Wyze advises its customers to be wary of future phishing attempts since one ore more third-parties could have their email addresses.
As a precautionary measure Wyze logged out all users by pushing a token refresh and "added another level of protection to our system databases (adjusted several permission rules and added a precaution to only allow certain whitelisted IPs access databases)."
As a direct result of these measures, all Wyze customers will have to log back in the next time they need to access their accounts and relink their Alexa, Google Assistant, or IFTTT integrations.
