Wyze confirmed yesterday that one of its servers leaked and exposed the details of roughly 2.4 million customers. Data exposed included email addresses, nicknames and tokens for customers’ IoT devices as well as WiFi network SSID identifiers.
Who is Wyze?
Wyze is a US company that specializes in inexpensive smart home products and wireless cameras. It sells IoT devices such as smart plugs, smart light bulbs and smart door locks as well as security cameras.
Yesterday Wyze confirmed that a server leak occurred when an Elasticsearch system was left unprotected online exposing details of approximately 2.4 million customers. An Elasticsearch system is a search engine used to quickly analyze large volumes of data.
How Did the Server Leak Occur?
According to Wyze co-founder, Dongsheng Song, the Elasticsearch server was setup to help Wyze sort through the vast amount of user data it holds. Wyze were looking at finding better ways to measure basic business metrics such as device activations and failed connection rates.
To do so, some data was copied from production servers to an Elasticsearch server. The Elasticsearch system was not a production system. However, it was storing valid user data as the data had been copied from production servers.
Initially, the new Elasticsearch database was setup correctly and was fully protected. However, as Song explained in a forum post published at Christmas “… a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened.”
What was Leaked
Cyber security consulting firm, Twelve Security, discovered the Wyze server leak. The discovery was also independently verified by reporters from IPVM, a blog dedicated to video surveillance products. By the time Twelve Security discovered the leak, the Elasticsearch database had been left unprotected online for 22 days.
The Elasticsearch server exposed details such as email addresses customers had used to create their Wyze accounts and nicknames users had assigned to their Wyze security cameras. Also exposed was WiFi network SSID identifiers and Alexa tokens belonging to 24,000 users used to connect Wyze devices to Alexa devices.
The Elasticsearch database did not contain user passwords or government-regulated personal or financial information, so this data has remained protected.
Wyze Response to the Server Leak
As soon as Wyze became aware of the leak, they immediately restricted the Elasticsearch database’s access. Wyze also immediately began an internal investigation as to how the leak had occurred.
Furthermore, although there was no evidence that API tokens for iOS and Android devices had been compromised, Wyze nonetheless decided to refresh these as a precautionary measure. Furthermore, Song stated that “We also unlinked all 3rd party integrations which caused users to relink integrations with Alexa, The Google Assistant, and IFTTT to regain functionality of these services. As an additional step, we are taking action to improve camera security which will cause your camera to reboot in the coming days.”
Wyze have also advised customers to change their passwords and to implement two-factor authentication on their Wyze app.