Some Facts:

  • A substantial amount of the videos taken with Wyze in the United States have been exfiltrated to China for study and distributed to a variety of companies in the mainland. Many are involved in the healthcare space, such as iHealthLabs.
  • Wyze cameras automatically begin scanning a users network environment once plugged in and begin initiating a series of automated hacking attempts against devices in a user’s home.
  • All Wyze devices allow Wyze, or anyone who has accessed their database within the last 10 months, to SSH tunnel into the devices from anywhere in the world.
  • Nearly every other IP Camera brand I tested from China, which were quite a few, along with *dozens* of other brands tested by other researchers seem to do the same thing.
  • Finally, the Wyze security fixes discussed on January 6th are kind of...totally worthless.

AMAZON:

Amazon is specifically liable for at least some of the actions of Wyze, assuming they do not both conduct an investigation internally into their employees and disclose some about this information to the public so that they can later verify the claims of what was investigated. This is because:

  • Wyze spoke at AWS Reinvent two months ago in Las Vegas. Two engineering leaders at Wyze spoke, along with Girish Sood, the Senior Product Manager for Kinesis Video Streams. For the technical crowd the implications of this video are enormous, and Girish Sood should be suspended (with full pay) from Amazon pending an investigation along with the Lead Solutions Architect from the Sales Team. To see this level of promotion of a radically insecure customer levels at the highest corporate levels is shocking.
  • If AWS does not do this, I would interpret that as Jeff Barr and Andy Jassy, the former who I will email tonight, as saying they pay for horrible legal advice from idiots. I would also add that it would say (I do not believe this at all about their real thoughts, but corporations are weirdly stubborn to a shocking degree) that they would rather take the chance that American naval military personnel could be killed, then launch an internally directed investigation that they have full control over anyway, can be wrapped up quickly, and is much nicer than anything the FBI could offer.
  • Besides the naval data that is going to be talked about in just a second, two companies also come into play that merit the above. COSCO, an enormous military contractor for the Chinese Navy, and Autel Robotics, a drone company that is currently attempting to make unmanned autonomous military drones. Wyze leadership has connections to both.

US NAVY:

Regarding the somewhat shocking claim made just a second ago:

  • An SSH key fingerprint was found on a Wyze server. This same fingerprint was also found on a server that is now being reviewed by the Times of London. The data could belong to Wyze, but more likely seems to be someone who simply accessed their servers for a period of time. There are Wyze connections that I have alluded to and will talk about in regards to the US Navy, but again please note the subtle difference here over what belongs to who that I made.
  • Some of the data mentioned below is absolutely classified, is concerning, and merits an investigation of some of the members of the media I think in the US. Some is simply information that has been scraped off the public internet and then preserved and curated at great cost for a long time. The size, aggregation, and content, along with the fact that some is classified information, only those who are delusional or specifically want more US military members killed at a future point in time would disagree with me on. The Times is going to be supremely mad I mentioned this, but as they are not American citizens I think the prerogative lies with me to some extent, and they can begrudgingly confirm most of the following immediately and all of it within the next several days. The company Crowdstrike also has access to this server and will confirm.
  • ...This server had detailed information on nearly every aspect of the United States Navy. This includes the radar signature of every ship in service currently, the amount of serviceable aircraft included on each ship, the schedule of patrols of naval vessels throughout the world, the list of US Navy Personnel on each ship, specific electrical and voltage information on communications equipment and battery powered UUAVs on each ship, the width in terms of calibers of every vessel’s onboard artillery along with exact amounts of ammunition available for each as of mid-2019, contractors for the navy and subcontractors of those contractors, detailed specifications of the nuclear reactors on each ship or submarine, and classified countermeasures for drones to evade the Phalanx Close in Weapons System.
  • The fingerprint on the Wyze server also led to Tsinghua University. This university in Beijing is the site of some of the most skilled and daring hacking episodes that have come from China. In particular the firm, Tsinghua Bitway, which was founded in 2009 by the son of the former president of China, Hu Jintao, owns a particular server that it was connected to. This firm makes an exotic array of networking gear, and brags in various places online and at Tsinghua University's website, about their military connections with the People's Liberation Army. This server was also implicated, in data reviewed by the Wall Street Journal and that they will confirm, in the hacking of Mercedes Benz China. Whether or not Daimler in Germany was hacked is an open, unanswered question, although additional servers of Bitway were found running in Germany under Hetzner's hosting services.


Tsinghua Bitway and their connections to the Chinese Military

How were some of these conclusions above and below reached? This was done via a triple confirmation of the data via:


Very rarely in life do I think we have this level of confirmation in terms of data provided in addition to the certainty of mathematics (such as the feature in AWS CloudTrail that lets you know if any logs have ever been modified by checking the checksums of data over time). Additionally at times even 4th and 5th levels of confirmation could be gained such as via SSH keys like those talked above, and things like historical DNS records provided by Security Trails.

Some notes about my experience, some of which have been mentioned previously:

  • I have the highest certification possible on AWS with the AWS Architect Professional credential as well as on Google Cloud with the Google Cloud Architect Professional credential.
  • I have the two highest credentials one can get in cybersecurity, the CISSP from ISC and the CISM from ISACA. I also have the Cloud Certified Security Professional certification from ISC as well.
  • I have nearly a decade of experience in AWS, Cloud Computing, and distributed infrastructure in some form starting in 2011.

KINGSOFT CLOUD:

Post 1 talked about the source code that Wyze hosted was found in Kingsoft Cloud. Unprotected for anyone to access with the credentials for the main production database inside. Left open for months. If we were to look at the servers that surrounded this one machine with the source code and credentials on it, what would we find? What would those servers be rated by cybersecurity platforms and intelligence sources. The tool GreyNoise, which is as useful as Zoomeye, BinaryEdge, or Shodan in many ways, rates their environment by showing it deems 40% of all servers hosted by Kingsoft as "Actively Malicious".

FAKE "AWS" CHINA:

Wyze claims to host in AWS China. This sounds like nice normal friendly AWS. This is not really true and AWS has mostly lost control of authority and decision making power in China. Not even Andy Jassy, the CEO of AWS, or even Jeff Bezos, can really dictate what goes on there. The Chinese government alone has ultimate control over these servers, and even Apple and Google acknowledges this for the servers they have hosted their. That being said, I think it is more helpful to look at internet threat intelligence platforms which can show, outside of what I say, how "safe" these platforms really are. BTW AWS China is really two regions, AWS Beijing and AWS Ningxia. Beijing Sinnet and Ningxia Western Cloud operate each region respectively. As they say on their own website, AWS does not really control, vet, or guarantee these platforms in a substantial way, rather providing "guidance" and "recommendations". Most incredibly, United States users are not allowed under any circumstances to sign up for AWS China or test the two regions. I am blocked as a US citizen from accessing these services. Why should Wyze be able to use Chinese developers in China who can use the AWS US Cloud, but for an American company to do vice-versa would be both illegal and simply not possible?

MATHEMATICS:

This post is short, but if the internet keeps working where I am I will follow up with another more detailed one tonight but wanted to get this out the door. So let me say the following just for now: these conclusions are mathematically irrefutable at many parts. Additionally there is 0 financial incentive for me to make these claims. Having journalists call you and is nice and is definitely worth something, but as a software engineer it won’t match what you could simply earn via a full-time job or even contractor position. Nor does the PR provide the ability to a company to magically generate equivalent revenue after expenses. Also as I financed most of this and the business itself via a liquidation of all stocks, options, and bonds I owned (along with the small but substantial still amounts in my 401k and Roth IRA at significan penalities) there is nothing there to be gained as well.

CHANGES:

I will improve this post over time and make sure to keep copies of the changed posts for the sake of evidence for claims made. At the very least to add more links.

CLAIMS IN FUTURE POSTS:

Some information in future posts will be slightly altered to protect data sources because of the sensitive nature of things disclosed there. In some cases I have been asked directly to do this.  Additionally some claims, which I cannot be certain of, I will make sure to note at either the 60% or 80% confidence level . These claims could in fact be wrong, but if I get 9 facts right out of 10, that does not change anything. Do not fall for the trap of a reading a comment with a huge quibble about some small fact, which I promise you your brain will always fall for if you read enough of these things (even to me on my own post), and then thinking that quibble takes away from the 9 other “omfg what is going on something horribly bad is happening” claims made elsewhere. If I am right, the consequences for many are incredibly severe. If I am wrong, I am just another crazy person on the internet and you can go about your day. I think because of the nature of the data and the seriousness of all this, some of the claims made, because of my experience and the lack of any crazy stock market shifting profit motive, these posts should be read as true and investigated as such for a brief amount of time. That is not something owed to me but I think to anyone who is concerned about human rights and the ability to harm US Naval vessels. Skepticism at one time was a mark of intelligence, but I think within the last decade skepticism is much more a tool of the status-quo to preserve power and should be seen with much suspicion. It would strike me as incredibly odd as to why anyone would look at these claims and go on the attack against this company instead of being concerned and erring on the side of caution and asking for a 30 minute investigation from AWS at the very least. Again if I am wrong, there will be plenty of consequences and “internet justice” later.

BRIEF SETUP FOR POST LATER TOMORROW:

Vultr and Choopa are really hosting providers/registrars that provide cover for the Chinese, as well as other governments they choose to allow, to perform hacking and cyberattacks around the world. This would be why there has been repeated mention of these companies in users reviews across Amazon US/UK/Germany, on Reddit, and on the Wyze Forums themselves.

Psychz, SharkTech, DCSManage (one of the most laughably fake front companies I am aware of to date are also part of this group. Bill Gertz has previously written about this here. I could name about 30-40 others, as after you look at logs enough you start to see the same names over and over. QTS Networks, UnityMedia, JoesDatacenter, Etheric Networks (which runs a huge state of the art, since it was recently, renovated radio tower in San Francisco), Tucows, and Enom. QTS Networks, via their sister company QTS Data Centers, recently acquiried a very large data center in Virginia and inked a deal with Facebook in addition. I should note at this time QTS Networks makes many of the antenna products for Daimler Mercedes cars. Often one just needs to find these servers IP Ranges, enter a single Chinese character even for ranges that should only be located in the US, and a MAJORITY of the servers will come back as hits. This is suspicious in itself but if you go to these sites you will find they are obviously fake, serve no purpose, and sometimes hidden behind a few clicks is alarmingly looking military and biological science gear. I still do not fully understand their purpose, but  will follow up with evidence tomorrow as to their maliciousness.