Unprotected Database Leaks Data of Wyze Users
An unprotected database was found to have exposed the data of all Wyze users who created an account before December 26, 2019.
Seattle, Washington-based Wyze Labs is the creator of affordable smart home products that aim to provide users with the same capabilities as more expensive systems. The company’s first product was WyzeCam, a remotely-controlled smart home camera.
Following a report last week of an exposed database containing a great deal of information on Wyze users, the company stepped forward and confirmed the leak, while also revealing that it had launched an investigation into the matter.
The initial report on the leak suggested that the database contained usernames and emails of those who connected the smart cameras, along with the emails of those they shared camera access with, a list of all cameras in the home, nicknames of these cameras, device model, and firmware.
Moreover, the leak reportedly included WiFi SSID, internal subnet information, API tokens for access from iOS and Android devices, Alexa tokens for 24,000 users, and personal information such as height, weight, gender, bone density, bone mass, daily protein intake, and other health information for a subset of users.
Immediately after learning of the incident, Wyze pushed a token refresh to all users, forcing them to re-login and re-link integrations with Google Assistant, Alexa, and IFTTT.
The next day, the company revealed that the exposed database, which contains only part of the data stored on the main production servers, was created on December 4, 2019, as part of an “internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.”
The database, the company says, contained customer emails, camera nicknames, WiFi SSIDs, Wyze device information, profile photos, body metrics for a number of beta testers (140 external beta testers), and limited tokens associated with Alexa integrations.
“User passwords or government-regulated personal or financial information” wasn’t in the database and API tokens for iOS and Android did not appear exposed, although they were refreshed as a security measure, Wyze says.
In an update this week, the company revealed that a second unprotected database was discovered after the investigation was launched, adding that it was not a production database either. However, Wyze did not provide details on the type of information included in that database.
The company became aware of the leak on December 26, when a reporter at IPVM.com created a support ticket on the Wyze forums. The breach, however, was discovered by Twelve Security, which claims that the company has ties to Chinese state-sponsored threat groups and that it also sends data to Alibaba Cloud, allegations that Wyze denies.
Wyze says that while it does have an office in China, the majority of its developers, engineers, and employees are located in Seattle. The company notes that it does not do any business with China’s markets or government, and that the team there uses separate servers that do not contain customer information.
According to Twelve Security, there is a connection between Wyze and Kingsoft, which became Cheetah Mobile, and which appears to be connected to Chinese threat groups. Moreover, Twelve Security points out that the founder and former CEO of Kingsoft, Jun Lei, is also the founder and CEO of phone maker Xiaomi.