I'd like to move on from Wyze, but I did lock myself and the company in by posting this title in advance. So let me just dump everything I know via paragraphs below. Please note, this blog is moving to https://notes.12security.com as I think the security of the Blogger platform is considerably higher than that of Ghost for the time being. This site will still be reserved.
- What's the gist of all these posts? Basically the summary is Xiaomi, this major phone manufacturer in China, is trying to dominate the world's IOT platform / market. They are doing this by creating dozens of poorly constructed shiny products marketed through dozens of shell companies. This faciliates the kind of odd notion of Chinese economic warfare (yet still very effective) and also provides a massive area of operations for intelligence collection and espionage. So with Wyze, another cookie cutter company to compare them to would be IMOU. You've never heard of them because while Wyze only retails in the US, IMOU only sells in Europe.
- The subtitle after each post references a known malicious hosting company. Not connected to Wyze per se. The best way to look these up en-masse is by visiting https://transparencyreport.google.com.
- You mentioned automated hacking and stuff but I can't detect anything on Wireshark...This is because you need to be looking at Bluetooth and in some cases even more exotic frequencies. Look around the 2.4 MHz range and below. It helps to have the Ubertooth One. Really this is more of a chip issue and future investigations should focus on Cypress and Ingenic. If you have the HackRF which has an amazing 1 MHz to 6 GHz range you are truly all set.
- Do you hate Wyze? No, but if I were to name names of who I have the least sympathy for it would be Dave Crosby, who is kind of the epitome of the US businessman who has stabbed America in the back to send jobs overseas to be instead done by slaves with no human rights. Also Girish Sood because he promoted Wyze as a marquee AWS customer just 2 months before all this at 2019 AWS Reinvent in Las Vegas. This goes against both the concept of being good at your job as well as the 14 Amazon Values.
- Could someone have watched the camera feed or intercepted / stored long term the videos the cameras were taking? ABSOLUTELY YES. This point is completely irrefutable. Additionally there would have been MULTIPLE ways to do this. The easiest, most direct route, would have been to simply intercept requests going from your phone or an Alexa device and swap out your tokens with tokens from the logging servers. This is at a technical level somewhat indistinguishable from getting access to user passwords. To get a feel for what this looks like, download Charles Proxy if you have iOS, Windows, or Mac. This is a "forward proxy" that gives you an idea of the concept of proxying and the intercepting of traffic.
- Anything else Wyze is guilty of? Maybe. Illegal technology transfer most likely. Their core engineering team is made up of a probably not coincidental number of core Amazon Kinesis and AWS IOT engineers. These are the services Wyze most consumes, and surprisingly, they've had enormous difficulty getting right from what I can tell of their architecture. Since building their architecture should have been a cinch with AWS tooling, my only other guess is they were trying to rebuild AWS tools from the ground up. This explains the horribly poor execution for what otherwise should have been mature and quick to setup PaaS tools. Additonally the fact that the Wyze camera pretty much looks identical to the AWS DeepLens camera I think is not a coincidence, and a teardown of both did not dispell that notion for me. Most laughably, the domain http://deeplens.net, which is used as part of the AWS DeepLens setup while on your local network , apparently resolves to Alibaba Cloud if you mistakenly enter it in your browser.
- In regards to #6, I actually think Amazon is the true at-fault party here. At the end of the day, they were the ones promoting Wyze on stage, they were the ones who let their own hires go to this company, and they were the ones closely collaborating with Wyze. Furthermore both companies were right next to one another in Seattle. Their simply was no reason for Amazon not to know, and they certainly had the resources to make such investigations possible. If Wyze makes the case that Amazon led them astray, or at least was so laughbly negligent in verifying their architecture that they deserve the greater blame, I might find myself agreeing.
- Did you make and money off of this? Considering I haven't worked in a couple months to finish up the research I've probably lost around $30,000 or so. As a DevOps Engineer it's unlikely I will ever earn more than simply being an individual contributor. If this company continues it will be motivated by my deep resentment of the last 40 years of incompetent and unethical business activity.
- Will fill in more details as I get complaints and questions on Twitter. Depends on what people are interested in. Might go to a few more numbers.9