Sign in Subscribe

Wyze Essay 1 - Your Information is Exposed

Recently, Wyze, the fast selling consumer camera company, was breached. Personally, in ten years of sysadmin and cloud engineering, I have never encountered a breach of this magnitude.

Ghost

2 min read

Wyze originated as a camera company in 2017, establishing headquarters in Seattle, Washington. Their website clearly states the company is to be close to Amazon's headquarters and conduct business almost exclusively through them.

Recently, Wyze, the fast selling consumer camera company, was breached.  Personally, in ten years of sysadmin and cloud engineering, I have never encountered a breach of this magnitude.

Although breaches today are considered "boring," they remain severe and we are led to believe they don't affect us the moment they happen. In this case, both the company's production databases were left entirely open to the internet. A significant amount of sensitive information generated by 2.4 million users, all coincidentally outside of China, was the result.

So what did the information include? The following:

  • User name and email of those who purchased cameras and then connected them to their home
  • 24% of the 2.4 million users are in the EST timezone (the rest are scattered across the remaining zones of the US, Great Britain, UAE, Egypt, and parts of Malaysia)
  • Email of any user they ever shared camera access with such as a family member
  • List of all cameras in the home, the nicknames for each camera, device model and firmware
  • WiFi SSID, internal subnet layout, last on time for cameras, last login time from app, last logout time from the app
  • API Tokens for access to the user account from any iOS or Android device
  • Alexa Tokens for 24,000 users who have connected Alexa devices to their Wyze camera
  • Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake, and other health information for a subset of users

Given this, they owe us an explanation. The database is currently live and open. Anyone can access it. Since there are clear indications that the data is being sent back to the Alibaba Cloud in China, coupled with the fact a similar breach of Wyze occurred only six months ago, a notice wasn't given to Wyze. The author of this post stands by this decision. If this was intentional espionage or gross negligence, it remains a malicious action that must be answered in the form of a decisive, external, and fast investigation by US authorities.

The saga continues... READ PART 2 HERE.

Sign up for more like this.

Enter your email
Subscribe