Update 12-28-19: Wyze has confirmed that version of its customer database was, in fact, open for access from December 4 to December 26. This was a copy of portions the production database, including customer emails, camera nicknames, WiFi SSIDs, Wyze device information, body metrics for a small number of product beta testers, and limited tokens associated with Alexa integrations. Wyze confirmed that the copied database had the previous security protocols removed, and Wyze is investigating how this happened during the copy.
What you need to know
- Wyze's database was allegedly publicly exposed to the Internet, a breach reported by a security blog.
- Wyze has yet to confirm the breach but has signed out all users as a security measure.
- The breach was not reported in a responsible manner and leaves several questions surrounding its validity.
Wyze, the maker of affordable home security products, has allegedly suffered a data breach in which 2.4 million customer database records have been publicly exposed to the Internet. Twelve Security ran an article on December 26, 2019, stating that they found an open path to the company's Elasticsearch database which contained some extremely sensitive information including exact home network details, locations of the cameras in the home, and even personal information on users.
In response to the post, Wyze issued a force sign-out of all users connected to its system and doubled down on its database security within 6 hours of being notified of Twelve Security's post earlier in the day. Wyze states that it was unable to replicate the steps necessary to access its database publicly and has yet to verify that any information was leaked at all. Security website IPVM originally notified Wyze of Twelve Security's post via support ticket and shows evidence that they have confirmed the exploit, citing several screenshots as evidence.
As it stands, Wyze Camera users will need to log back into their accounts and generate new 2-factor authentication (2FA) codes. Any Wyze cameras that have been linked to Alexa, Google Assistant, or IFTTT will need to be re-linked in order to create a new security token. Users are also encouraged to change their account passwords. Wyze also suffered heavy traffic load over the past twelve hours since the database changes were made and had issues with their 2FA servers, but have since ironed those out. Users that had trouble logging into their accounts should no longer have problems, according to the company.
Twelve Security doesn't appear to have responsibly disclosed this breach by reporting it to the offending party first (in this case, Wyze). This has made it difficult to identify how large the breach was before being disclosed and what might have actually been accessed. Wyze is in the middle of an investigation into the breach and has stated that it will report back once it has more information.
Have you listened to this week's Android Central Podcast?
Every week, the Android Central Podcast brings you the latest tech news, analysis and hot takes, with familiar co-hosts and special guests.
My co-worker wasn't logged out of his account.
Honestly, I'm convinced this whole thing is a hoax. Wyze handling this under the assumption this was a real thing is a breath of fresh air, as they definitely seem to care a lot about this and shown that they are taking the accusation very seriously.
...but the source for this accusation, 12security, they look like a joke. The further you dig into "12security" the more sketchy it gets.
The website domain name was purchased earlier this year from Google Domains (whois.net shows it was created 2019-08-19T22:06:20Z), but the only 3 "articles" on it are all from December of this year, and the other two from before this Wyze one are just ranty, and aren't anything to help 12security's credibility.
Before today there isn't a single listing for this website in the internet archives, the only archives for this website are ones I generated today while researching the site.
The website is powered by Ghost, (http://ghost.io/) which isn't really an issue, lots of professional websites use Ghost, but it's not even been fully set up. The website has a lot of the default stuff still. There is no favicon for the site, the username for the blogposts is the default "ghost", the footer is still linked to the Ghost platform's social page and not their own, and the admin login url hasn't been changed like you'd expect a security expert to do to https://blog.12security.com/ghost which redirects to https://12security.ghost.io/ghost/#/signin.
The only social page that their footer points to that is their own is their twitter, https://twitter.com/securitytwelve which again, does not look like a real security researcher's twitter, and instead looks like a generic anti-china conspiracy account.
The website has a dedicated page for pricing of security consultation, and it's made in the most ******* way possible. "Twelve Security offers the following services. Prices are purposely posted here to intentionally antagonize any vendors/consultants who do not:" which is to me suspicious because it's the very same thing that people (John Wood) are pushing Wyze to pay for.
Their phone number listed, 210-929-6268, is a google voice / google fi phone number that has been put on do not disturb mode. Or at the very least, they're using the EXACT same recorded messages that Google voice / google fi uses. And https://freecarrierlookup.com/ verifies that both my google fi number, and their number show up as a T-Mobile number.
Their website advertises their "services" but does it in a very unorthodox and aggressive way, https://web.archive.org/web/20191227161612/https://blog.12security.com/s...
Their domain is a Google Domains domain, that was only registered this year.
And the "article" that started this all, just read it for yourself. It doesn't follow the industry standard of first reporting the breach to the company to give them a chance to close the breach before making the public aware of it, that is done to protect users from the hackers who would go after Wyze's servers because of the alleged breach.
And that's just what I've been able to stumble across so far.
Dov Chodoff (in the FB Wyze group) also pointed out that their address listed on their site doesn't appear to be a real address https://www.google.com/maps/place/5052+Rogers+Rd,+San+Antonio,+TXemail@example.com,-98.6941998,19z/data=!3m1!4b1!4m5!3m4!1s0x865c42f26e10b70d:0x2d5d5af4383d10a0!8m2!3d29.4771181!4d-98.6936526?shorturl=1
Supposedly these people say ‘health information’ on some users, including things like height, weight, bone mass, and more. were stolen.
Neat trick, I must have missed that product from WYZE.
Well, Wyze is testing a Smart Scale last I heard, so it's probably trying to reference those users.
Well done, David. You've obviously done your research. I was logged out of my account. Hope you are correct with what you came up with.
Was this article just an ad for Wyze Cam Pan and Wyze Cam?
This is hilarious. Glad to see the company take quick action to protect users, but also would be weird to know that all of that data could potentially be really collected. But good on them for being fast and decisive about their security. And shame on the idiots who made the post for fear mongering and trying to incite a panic...
Get the best of Android Central in in your inbox, every day!
Thank you for signing up to Android Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.