[BreachExchange] Wyze data leak: Key takeaways from server mistake that exposed information from 2.4M customers

Destry Winant destry at riskbasedsecurity.com
Mon Dec 30 10:19:58 EST 2019


Seattle-area startup Wyze, a provider of home video cameras and other
Internet of Things (IoT) devices, announced on Dec. 26 that it had
been informed of a “data leak” that reportedly exposed the personal
information of 2.4 million of its customers.

The problem arose from “a new internal project to find better ways to
measure basic business metrics like device activations, failed
connection rates, etc.,” writes Dongsheng Song, Wyze co-founder and
chief product officer, in the company’s post.

“We copied some data from our main production servers and put it into
a more flexible database that is easier to query,” he explains. “This
new data table was protected when it was originally created. However,
a mistake was made by a Wyze employee on December 4th when they were
using this database and the previous security protocols for this data
were removed.”

Founded in 2017 by a group of Amazon veterans, Wyze offers a series of
low-priced cameras, plugs, bulbs and other smart-home devices. The
company, based in Kirkland, Wash., has raised $20 million in venture
capital. GeekWire has contacted Wyze for additional comment.

Wyze has expanded beyond its original video cameras into smart plugs
and other IoT devices. (Wyze Image)

To Wyze’s credit, it has been very detailed in describing what
happened, when, why, how, and what the company is doing about it.

A post by Twelve Security claimed that the leaked data included the following:

User name and email of those who purchased cameras and then connected
them to their home
Email of any user they ever shared camera access with such as a family member
List of all cameras in the home, nicknames for each camera, device
model and firmware
WiFi SSID, internal subnet layout, last on time for cameras, last
login time from app, last logout time from app
API Token for access to user account from any iOS or Android device
Alexa Tokens for 24,000 users who have connected Alexa devices to
their Wyze camera
Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake,
and other health information for a subset of users

Wyze quoted that list in its original post but added, “We don’t
collect information about bone density and daily protein intake even
from the products that are currently in beta testing.”

In looking over this event, there are ten key security and privacy takeaways.

1) Another argument over “responsible disclosure”

Wyze has been upfront about the manner in which it was informed of the
leak, with little or no time to mitigate the problem before it was
made public. ZDNet’s Catalin Cimpanu summed up the feelings of many
(likely including Wyze) about whether this disclosure was
“responsible” or not.

Catalin Cimpanu at campuscodi
Replying to @campuscodi

This is not how "responsible disclosure" works.

In the past, I've waited weeks for some companies to secure servers.

These guys couldn't wait a f***ing day. Talk about being unprofessional.

14 minutes (my bad, not 9) means you didn't actually care about
disclosure at all

9:15 PM - Dec 28, 2019
Twitter Ads info and privacy

88 people are talking about this

These are valid and reasonable concerns. As is often the case
regarding the “disclosure wars,” there likely won’t be any resolution,
but instead a renewed airing of both sides of the argument. Those
supporting the disclosure can and will say the information was public
for a number of days and holding that information back prolongs the
risk. Those against it will say this just wasn’t enough time for the
vendor to take action. Either way, this situation shows that the
disclosure wars will continue so long as there’s no collective
agreement on how to handle these situations.

2) Wyze moved quickly to respond

One thing to Wyze’s credit: they clearly jumped on this fast once it
broke. The company’s post states: “Immediately upon hearing about a
potential breach, Wyze mobilized the appropriate developers and
executives (CEO and CPO) to address the allegations.”

It adds later, “This means that all Wyze user accounts were logged out
and forced to log in again (as a precaution in case user tokens were
compromised as alleged in the blog post). Users will also need to
relink integrations with The Google Assistant, Alexa, and IFTTT.”

This level of response and these steps are reasonable to address the
risks around potentially lost authentication tokens. These are also
actions that will impose a burden on users.

Going back to our first point, people can and will argue how much of
this response is due to the nature of the disclosure. But these are
good, concrete steps, which put security ahead of ease-of-use: Wyze is
risking user frustration for better security.

3) But Wyze is not forcing password resets

One thing that Wyze isn’t doing, however, is forcing password resets
on users. While Wyze has said that passwords weren’t stolen, it’s
often hard to be certain. And if the current situation involving
Amazon’s Ring has taught us anything, it’s that people are regularly
reusing passwords, especially where IoT devices are concerned. Not
forcing a password reset is missing an opportunity to be thorough in
the response to improve overall customer security.

4) This is different and more serious than the Ring situation

Ring has been in the news a lot lately for being “hacked.” As I’ve
noted, the nature of those hacks boil down to the inherent weakness of
relying on passwords. This situation is different because it’s a leak
of data held by Wyze. In fact, it even appears that password
information wasn’t involved.

In this case, even if you’ve used two-factor authentication (2FA), you
still are at risk from this data breach.

If the Ring situation has reminded us of the risks of password reuse
and the overall weakness of passwords as a security measure for IoT,
this breach helps show us the risks inherent to losing the kind of
data used byIoT and health-related devices in the home.

5) This shows what IoT data breaches can mean

By their very nature, IoT devices are integrated into our most
intimate spaces. Cameras in particular represent a major window into
our most protected personal spaces, as we’ve seen in the reactions to
the Ring situation.

Looking at the information that’s potentially lost in this breach, we
get a more concrete sense of IoT data breaches can mean in real terms.

In particular, Wyze notes that the data loss includes: “List of all
cameras in the home, nicknames for each camera, device model and
firmware. WiFi SSID, internal subnet layout, last on time for cameras,
last login time from app, last logout time from app.”

This data is troubling because it can give very specific information
that can be useful for real-world crime. People regularly name devices
in ways that are descriptive for themselves, not expecting them to be
publicly known. For example, people might name a camera in a child’s
room “Betty’s Room.” Information like this can give an attacker
information about who is in the house, where they might be and where
cameras are going to be placed. All of this can be useful information
for people who want to enter the home for malicious purposes.

One thing that Wyze has not recommended, which I would recommend, is
that users rename their internal WiFi SSIDs, rename their cameras and
potentially reposition those cameras. All these steps can mitigate the
risks of that information now being publicly accessible.

6) IoT health data is VERY personal

Another piece of the exposed data is this: “Height, Weight, Gender,
Bone Density, Bone Mass, Daily Protein Intake, and other health
information for a subset of users.”

Wyze goes to some length to point out that this information lost only
affects a very small subset of their users, specifically “140 external
beta testers.” Yes, that is a very small number of people. But the
information that’s was exposed is very sensitive and very personal
health information. It’s a reminder of the nature of the data that’s
being handled by IoT and health devices.

7) Similarities to the Capital One Breach

The similarities to the Capital One data breach are striking. In this
case, as Wyze says: “a mistake was made by a Wyze employee on December
4th when they were using this database and the previous security
protocols for this data were removed.”

While this isn’t exactly the same thing that happened with Capital
One, in both cases you have data that was accessible in the cloud
without appropriate security protections due to human error. It’s also
notable that in both cases, auditing and monitoring failed to catch
the misconfiguration.

Both of these cases are a reminder that, unfortunately, when things
are deployed to the cloud, the risks of exposure and breach are
frequently greater. And in terms of IT operations and practice, the
controls and countermeasures often aren’t as robust and mature for
cloud deployments as they are for traditional “on premises”

8) Speed kills

For startups, there are two lessons, as well. One is cautionary and
the other potentially positive.

First the cautionary tale: speed kills.

Once again, to its credit, Wyze is open about what happened, and
there’s a very clear message for startups. From the company’s posting:
“To help manage the extremely fast growth of Wyze, we recently
initiated a new internal project to find better ways to measure basic
business metrics like device activations, failed connection rates,
etc. We copied some data from our main production servers and put it
into a more flexible database that is easier to query.”

Two things happened here that are common for startups. First, the
company experienced sudden, fast growth. Second, it moved quickly to
address the implications of the growth.

As noted above, it was during this “fast move” that, at some point,
the security that had protected the data was removed by an employee.

It’s great that Wyze was able to move fast to address issues related
to their fast growth. But this is also a reminder that speed can kill.
Mistakes happen when things move fast and there’s little checking.
This is a risk that all startups face and should be conscious of.

9) Speed can save you

Of course, the speed that can kill you as a startup can also save you.
The fast response that we see from Wyze is an example of the speed
startups can achieve. Another positive aspect of this speed is shown
in the statement that is going to “bump up priority for user-requested
security features beyond 2-factor authentication”.

If we compare and contrast this with Ring’s response to its current
situation, the difference is stark. Ring has made no announcements of
any major plans to improve security capabilities in the wake of
stories of Ring devices being hacked. By contrast Wyze has committed
early and openly to reworking their prioritization of new
user-requested security features.

Here too is another lesson for startups: use the speed and agility
that being a startup gives you to move quickly to turn disadvantage
into advantage.

10) Alarmist reactions over data and China

In its post, Wyze very clearly refuted the claim that it is sending
data to Alibaba’s cloud in China. A question and answer in the post
speaks directly to this:

Is there validity to the claim that Wyze is sending user data to China?

Wyze does not use Alibaba Cloud. The claim made in the article that we
do is false.

It goes on to note that the company has employees and manufacturers in
China, but “Wyze does not share user data with any government agencies
in China or any other country.”

The fact that this claim was made and Wyze feels a need to refute it
points to another takeaway: there is an emerging, almost “McCarthyite”
trend lately to imply or allege that tech companies with ties to China
are storing data in China and/or sharing data with the Chinese
government. We’ve seen similar insinuations in regards to TikTok as

Partly, this represents the sort of speculation that can fill a vacuum
when companies don’t provide clear information themselves about where
they store their data. A few years ago, people, especially in Europe,
were concerned about data being stored in the United States and its
possibly being subject to seizure under the Patriot Act. Now, people
are concerned about data being stored in China and accessible by the
government there.

One thing companies can do to mitigate this concern is to be open
about where they store data.

Beyond that, though, there is clearly heightened concern now about
data being stored and shared with China, and that concern is
manifesting in claims and insinuations about data being stored or
shipped there.

The Wyze breach is a serious one. And Wyze deserves credit for doing a
lot of things right, quickly, in response. But as we dig into it more,
we can see that this situation raises a number of issues around IoT
devices, data storage, security and incident response.

We can all learn from this, which is one reason why it’s so good that
the Wyze team has been open and up front about the situation: it helps
the industry learn and grow collectively. And because Wyze is a
startup, its experience and response has particular lessons for other
up-and-coming companies in the IoT space.

Update: Wyze disclosed an additional issue in a Dec. 29 update to its post.

We have been auditing all of our servers and databases since then and
have discovered an additional database that was left unprotected. This
was not a production database and we can confirm that passwords and
personal financial data were not included in this database. We are
still working through what additional information was leaked as well
as the circumstances that caused that leak.

We’ve also clarified our post above to note that Wyze says it doesn’t
collect information about protein intake or bone density, contrary to
a report that said such data was included in the leak.

More information about the BreachExchange mailing list