Wyze originated as a camera company in 2017, establishing headquarters in Seattle, Washington. Their website clearly states (under no uncertain terms), the company is to be close to Amazon and conduct business almost exclusively through them.
Recently, Wyze was breached. Personally, in my ten years of sysadmin and cloud engineering, I never encountered a breach of this magnitude.
Although breaches today are considered "boring," they remain severe and we are led to believe they don't affect us the moment they happen. In this case, both the company's production databases were left entirely open to the internet. A significant amount of sensitive information generated by 2.4 million users, all coincidentally outside of China, was the result.
So what did the information include? The following:
- User name and email of those who purchased cameras and then connected them to their home
- 24% of the 2.4 million users are in the EST timezone (the rest are scattered across the remaining zones of the US, Great Britain, UAE, Egypt, and parts of Malaysia)
- Email of any user they ever shared camera access with such as a family member
- List of all cameras in the home, the nicknames for each camera, device model and firmware
- WiFi SSID, internal subnet layout, last on time for cameras, last login time from app, last logout time from the app
- API Tokens for access to the user account from any iOS or Android device
- Alexa Tokens for 24,000 users who have connected Alexa devices to their Wyze camera
- Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake, and other health information for a subset of users
Given this, they owe us an explanation. The database is currently live and open. Anyone can access it. Since there are clear indications that the data is being sent back to the Alibaba Cloud in China, coupled with the fact a similar breach of Wyze occurred only six months ago, a notice wasn't given to Wyze. The author of this post stands by this decision. If this was intentional espionage or gross negligence, it remains a malicious action that must be answered in the form of a decisive, external, and fast investigation by US authorities.
The saga continues... READ PART 2 HERE.