The Wyze company that produces various smart devices (surveillance cameras, sockets, bulbs, door locks and so on), reported 2.4 million users reported a data leak.
The data leak occurred due to the fact that the manufacturer's internal database (Elasticsearch) accidentally appeared in the public domain. Representatives of Wyze admit that they do not use Elasticsearch on production at all, but the server nevertheless stored relevant client data:
“To cope with the extremely active growth of Wyze, we recently launched a new internal project, looking for more effective ways to evaluate basic business metrics, such as device activation, the frequency of failed connections, and so on. We copied some data from our main production servers and placed it in a more flexible database, which is easier to access. This new database was protected during creation, but a Wyze employee made a mistake: on December 4, when he used this database, the previous security protocols were deleted. We are still studying this incident to find out why and how it happened. ”
It is known that the database contained the email addresses that customers used to create Wyze accounts, the names that users assigned to their Wyze cameras, SSIDs, and in the case of 24,000 users, Alexa tokens used to connect Wyze devices to Alexa devices.
Ultimately, this database, "looking" into the network, was not discovered by the company's specialists, but by researchers from the consulting company Twelve securityand then this data was checked by journalists IPVM Video Surveillance Blog. Interestingly, Wyze representatives are extremely unhappy with the way the researchers approached the issue of solving this problem. In fact, the companies gave about 10 minutes to fix the problem, after which the database information was published on the network.
“For the first time, IPVM.com journalists contacted us on December 26, at 9:21, through a support service request. The article was published almost immediately after that (the publication on Twitter is dated December 26, 9:35). It was published in parallel with a blog post by a private security company that also appeared on December 26th. We learned about this post at 10:00 from a community member who read the article, ”says Wyze co-founder Dongsheng Song.
Also in their statement, Wyze representatives deny that the leak caused Wyze API tokens, while Twelve Security researchers claimed on their blog that they found tokens that they said allowed them to access Wyze accounts from any device on iOS or Android.
In addition, the researchers wrote that the company collected and transmitted user data to the Alibaba Cloud cloud server in China, but the manufacturer also denies these allegations. Dusheng Song also explained why, according to Twelve Security, Wyze collects user health information. Allegedly, this data was collected only for 140 users who tested the new Smart Scale product. Thus, information on the collection of growth, weight and gender of users was confirmed, however, the company insists that they never collected data on bone density and daily protein intake.
Be that as it may, the problematic database has already disappeared from the network, and Wyze experts decided to force log out of all Wyze users, as well as generate new Wyze API and Alexa tokens.