Data from 2.4 million Wyze Labs users accessed for three weeks
A security vulnerability at smart home manufacturer Wyze Labs made the data of more than 2.4 million users accessible to unauthorized persons for three weeks. The data was contained in an unsecured database linked to an Elasticsearch cluster.
The American Wyze Labs confirmed the data breach, which lasted from December 4 to 26, itself via a forum post. The leak was discovered on Boxing Day by security firm Twelve Security. According to this company, during the relevant three-week period, numerous data of more than 2.4 million users were completely unprotected. There are no indications that the data has actually been misused.
These included the usernames and email addresses of owners of a Wyze smart camera, the email addresses of all the people the cameras were shared with, lists of all the cameras in the home—complete with nicknames, model and firmware version, Wi-Fi SSIDs. networks, and Alexa tokens for some 24,000 people who connected their Wyze camera to Amazon’s voice assistant.
According to Twelve Security, all kinds of health data from a smaller group of users were also accessible, such as height, weight, gender and bone mass. According to ZDnet, those would come from a small group of users who tested a previously unreleased connected scale. The security company noted that “coincidentally” no data from users in China had been leaked. About a quarter of those affected live in the Eastern Standard Time time zone. Furthermore, the leak mainly affected users in the US, UK, United Arab Emirates, Egypt and parts of Malaysia. Users’ passwords and financial information would not have been leaked.
Twelve Security also says it has clear indications that the data has been sent back to the Alibaba Cloud in China. The security company also states that there was a similar leak at Wyze six months ago. Partly for this reason, the security company did not warn Wyze before disclosing its findings. Whether intentional espionage or gross negligence, it is a malicious act that must be further investigated by US authorities.
In a forum post, Wyze’s co-founder and chief product officer Dongsheng Song disputed the claim that data would be sent to the Alibaba Cloud. He also denies that the company suffered a similar security breach six months ago. Song further says that the company has taken measures to protect the database from unauthorized persons again. As a result, the next time they start using their products, Wyze users will need to log in again and eventually re-establish links to Alexa, Google Assistant, and IFTTT services.