Matthew DeCarlo
If you’re wondering why your Wyze plugs stopped responding to voice commands last night, it’s because the smart home supplier logged everyone out after accusations of a dubious data breach. Details are thin and little has been confirmed, but if you’re using Wyze products, know for now that you’ve been logged out and that you’ll have to reconfigure Alexa skills and Google Assistant integration.
Update, 12/28: Wyze confirmed that the data breach did, in fact, happen, though on a much smaller scale than the original reports claimed. Some user data was exposed between December 4th thru 26th.
The company detailed what happened in a lengthy post on its forums, but the long and short of it is that some data was moved to a testing database and left exposed. The data was initially secured but the protocols were accidentally removed by a Wyze employee who was working with the test database on December 4th.
No passwords, personal data, or credit card details were exposed during the period in which the data was unprotected. It did, however, contain emails, camera names, SSIDs, Wyze device information, and “body metrics for a small number of product testers” who were beta testing what can be assumed was the previously-leaked Wyze Scale. Some tokens associated with Alexa integrations were also included.
As detailed in the original post below, Wyze logged all users out and reset Alexa/Assistant integrations as a precaution before it ever confirmed the breach, which was the right move. The company said that it’s currently looking into the event to find out how this happened in the first place.
Since the original reports positioned the info in a way that suggested this was a much bigger breach than it actually was, Wyze went on to debunk the absolute falsities raised:
Several of the things that have been reported are not true. We do not send data to Alibaba Cloud. We don’t collect information about bone density and daily protein intake even from the products that are currently in beta testing. We did not have a similar breach 6 months ago.
Ultimately, this was an issue within Wyze and has since been handled. But in the big picture, this was a relatively minor issue since no passwords, personal information, or payment data was compromised.
Update x2, 12/30: Wyze reported on 12/29 that a second leaky database was found by a community member, who privately reported the issue to them. It’s unclear what sort of data was contained here, as the company said it wasn’t a production database, though it was confirmed no passwords or financial data was stored on this database. It has since been secured.
The company is working on an email to notify all affected users of the breach.
The original report is left intact below.
What happened? Well, that part still isn’t entirely clear. An anonymous author on Twelve Security, a supposed security consulting company in Texas, published an article yesterday describing a “massive” data breach for Wyze smart home products. The blog post alleges that Wyze’s production databases were “left entirely open to the Internet” and ultimately leaked loads of sensitive information about the company’s 2.4 million users.
The allegedly leaked information includes the usernames and email addresses of folks who purchased Wyze cameras and connected them to their homes. It also supposedly contains the nicknames for those cameras, email addresses of users who have received shared access, network details such as WiFi SSIDs and subnet layouts, biometric data from a subset of users, and more. It’s worth mentioning that at the very least, user passwords aren’t alleged to be a part of this leak.
Here’s all of the supposedly leaked data:
- User name and email of those who purchased cameras and then connected them to their home
- 24% of the 2.4 million users are in the EST timezone (the rest are scattered across the remaining zones of the US, Great Britain, UAE, Egypt, and parts of Malaysia)
- Email of any user they ever shared camera access with such as a family member
- List of all cameras in the home, the nicknames for each camera, device model and firmware
- WiFi SSID, internal subnet layout, last on time for cameras, last login time from app, last logout time from the app
- API Tokens for access to the user account from any iOS or Android device
- Alexa Tokens for 24,000 users who have connected Alexa devices to their Wyze camera
- Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake, and other health information for a subset of users
But here’s the thing: beyond some dubious screenshots, there’s absolutely no proof that any of this is true.
Wyze has responded to these claims in a forum post on its website, and the company says that so far it hasn’t been able to confirm any kind of data breach. Although it can’t confirm a breach has occurred, Wyze logged everyone out of their accounts (in case user tokens were actually compromised as mentioned above). Along with logging back in, you’ll have to relink integrations for smart assistants such as Google and Alexa. Wyze also tweaked some permissions on its databases and is only allowing access from certain whitelisted IP addresses.
Wyze is also trying to communicate with the author of that Twelve Security blog post and the company is waiting on a response via email because the site’s phone number doesn’t accept inbound calls. That’s just one part of how strange this disclosure has been. Twelve Security only has three whole blog posts, one of which accuses Credit Karma of ad fraud, while the other promises to delve into “China’s FBI.” When you Google the security firm’s address (5052 Rogers Road, San Antonio, TX 78251) it just shows an intersection with nothing on it. Hardly confidence-inspiring. The whole thing is beyond questionable.
Separately, another small-time blog called IPVM has published an article claiming proof of the breach, including screenshots of the leaked data. If there has truly been a breach, there were more responsible ways to approach disclosure—the fact that Twelve Security decided to go public instead of contacting the company is just irresponsible. Really, this reads like an attempt at publicity for Twelve Security or an attempt to damage Wyze’s reputation. But again, that’s speculation.
And so far, Wyze hasn’t given us any reason to doubt its transparency. For starters, mass-logging everyone out feels like acknowledgment and that the company is taking this seriously since it will inevitably draw people’s attention to the issue. The company has also been quick to address (and verify) issues in the past. If anything, the legitimacy of these blog posts is questionable—not Wyze’s response or transparency.
For now, what we can say for sure is that this is unfortunate timing, both for everyone who just purchased and set up their new smart home gear for Christmas, and probably for Wyze, which is likely working with limited staff at the moment given that holiday vacations are in full swing.
Source: Wyze, Twelve Security
