Seattle-based Wyze has just experienced a leak that one Twelve Security researcher is calling the biggest breach in their ten year stretch of sysadmin and cloud engineering. The breach involves 2.4 million users of Wyze budget-friendly security cameras. But it didn’t include the kind of data that might be expected, according to the researcher.
Instead of just leaking security camera footage, the breach included a plethora of personal data and exposed that to the entire internet via an open-access database.
All of the data was, “coincidentally,” from users outside of China and was left on a live database. But all of the data is reportedly being filtered back through Alibaba Cloud in China. As of December 26, when the researcher wrote their article, the database was still active and accessible.
Wyze wasn’t made aware of the breach directly, either. The company had, the researcher writes, another breach just a few months back. That leak bore a lot of similarity to the newest one. That may warrant a deeper investigation by US authorities. In fact, according to the researcher, this breach requires it irrespective of whether the “malicious act” boils down to “intentional espionage or gross negligence.”
What’s included in the breach?
There is quite a lot of information that was revealed by Wyze via this security leak. That also goes well beyond what might have been taken from a few clips of video. To begin with, that includes user names and emails who have purchased Wyze cameras and connected them to their homes. But email accounts tied into people users shared camera access with were also made public as well.
That’s on top of providing a list of every home camera in a home, those devices ‘nicknames’, device models, and firmware versions.
WiFI SSIDs, internal subnet layouts were part of that as well as login and logout times and when the cameras were last on. API Tokens were included, meaning that a bad actor could potentially login from any device once the user logged out.
For one percent of users or around 24,000 accounts, Amazon Alexa Tokens were made visible too. The cameras are exclusive to Amazon and link with Alexa-enabled devices. That potentially widens the exposure area and attack surface to include other Alexa devices.
Finally, the researcher says that health metrics were made public too. The array of associated information included not just height, weight, and gender information for users. It also contained much more such as bone density and mass or daily protein intake, among other things.
What is Wyze saying in its defense?
The majority of users, around 24-percent, are in the EST timezone. But others are also scattered across other US areas, Great Britain, United Arab Emirates, Egypt, and Malaysia. Because of the scope of the leak, the security researcher not only wrote up the report calling for investigations. They are also calling out Wyze for the breach and demanding an explanation on behalf of users.
The IoT smart camera company has responded in the interim via its official blog.
Wyze says that it is actively investigating the breach and, as recently as December 29, has found additional databases that were compromised. It will be investigating further to determine the exact cause of the leaks and notifying customers who were impacted.