Wyze confirms massive server leak, 2.4 million users affected

In late December 2019, the popular smart device provider, Wyze, confirmed it had experienced a server leak that exposed roughly 2.4 million customers' information, ZDNet reported. Wyze sells internet of things technologies used by consumers and businesses, including security cameras, smart door locks, energy-efficient light bulbs and more. According to Wyze co-founder Dongsheng Song, the leak occurred after an internal database was unintentionally exposed online, allowing unauthorized users to access the following information:

• Usernames and email addresses of customers who connected Wyze products to their homes
• Users' time zones, height, weight, gender, daily protein intake and other health information
• WiFi SSID, internal subnet layout and other device-specific data
• API Tokens for iOS or Android devices
• Alexa tokens for 24,000 users who connected their smart homes to Wyze products
• Email addresses of any users with shared camera access

Using this leaked data, malicious actors could build an accurate profile of all cameras in a user's home or office, including nicknames for each device, model and serial numbers and firmware versions. The server leak is just one of a series of high-profile incidents that have made headlines over the past year and highlights the importance of strong cybersecurity and data architecture practices.

A brief overview of the server leak
In an early January forum post, Song explained that the leaked database was not a production system, but did house valid user data. The server was primarily used for Wyze's Elasticsearch system, which enables rapid queries the company uses to sort through the massive amount of information it collects about devices and users. Song also clarified that an employee error had led to the misconfiguration of the server's security protocols on December 4, 2019 - the data was exposed online until December 26 when the company was informed about the issue.

The leaked server was first identified by the cybersecurity firm Twelve Security, which posted its findings online in late December. Researchers were quick to point out "clear indications" that data from the server was being sent back to the Alibaba Cloud in China, a service that Wyze claims it does not use. While Twelve Security stopped short of blaming China for the leak, the firm was outspoken in its call for a large-scale investigation led by U.S. security experts.

"The database is currently live and open. Anyone can access it. Since there are clear indications that the data is being sent back to the Alibaba Cloud in China, coupled with the fact a similar breach of Wyze occurred only six months ago, a notice wasn't given to Wyze," said a Twelve Security researcher, in the firm's original forum post. "If this was intentional espionage or gross negligence, it remains a malicious action that must be answered in the form of a decisive, external and fast investigation by U.S. authorities."

A single vulnerability or misconfiguration can lead to a variety of large-scale cybersecurity issues.

Next steps for Wyze
In response to the leak, Song outlined several steps Wyze is taking to ensure customer data is secured. First, the smart technology company will conduct its own internal investigation coupled with an independent review of how the leak occurred. Their findings will be further supported by assessments and audits by third-party cybersecurity firms, with the goal of validating Wyze's security and privacy environments. Before introducing new features or adjusting its security protocols, the company plans to perform a series of penetration tests that will mimic real-world cyberattacks. This will help its internal IT team evaluate the effectiveness of existing security protocols and determine whether new processes, tools and training resources are needed.

Wyze also announced it will be adding several public-facing features that will help customers respond to the server leak and protect their information moving forward. These features were highlighted in Song's late-December forum post, which claimed the company is prioritizing the following:

• Allowing users to more easily change their account email addresses
• Introducing multi-factor authentication to device setup beyond SMS
• Adding multi-factor authentication to all Wyze websites and account portals
• Releasing a dedicated website that explains best practices in cybersecurity and allows users to report potential issues

While a timeframe for these new features has not yet been released, Song assured readers that Wyze is in the "beginning stages of research" and may need to make "significant changes to … back-end systems" before they can be officially rolled out to customers. As it stands, all users who created an account prior to December 26, 2019 may be impacted by the server leak, so it's important to take the proper precautions to ensure all Wyze devices are updated with new security credentials.

Keeping up with IoT security flaws can seem like a full-time job, especially if an organization lacks reliable IT infrastructure and data mapping processes. Luckily, Perle offers industrial-grade hardware, including our durable Ethernet media converters and hardened switches, that can help companies stay one step ahead of emerging cyberthreats. Read some of our customer stories to find out how we've helped our clients across industry lines take full advantage of their IoT equipment.