Wyze Labs - data breach confirmed

aaiyar · December 26, 2019, 11:01pm

FYI - reported by Twelve Security and confirmed by IPVM.

Edit: A few hours ago, Wyze labs confirmed what they term as a "data leak" between 12/4/2019 and 12/26/2019

gavincampbell · December 26, 2019, 11:53pm

Wow. I wonder what has been leaked. Apparently all my info is already out there after the latest lifelabs leak in Canada.

Wyze claims they are looking into it via this thread on their forum.

bertabcd1234 · December 26, 2019, 11:54pm

Thanks for sharing! This is one reason I don't like devices that only work with closed systems like theirs (like their contact sensors; their locks are Zigbee 3.0 and might work with standard hubs). I'm conflicted about the cameras; they're cheap and work pretty, but they're fairly dependent on their cloud and the RTSP firmware they introduced a while back is probably the best you can make them work while minimizing that, but it's intentionally not getting updates anymore. I hope they continue to listen and make things more easily integrated with other platforms--then I can use them without their cloud or expose them only through things I trust (which so far would include Hubitat--though I don't ever see video happening there, but there's more than that).

aaiyar · December 26, 2019, 11:59pm

After reading @gavincampbell's link to the Wyze forums I have edited the title of my post to indicate uncertainty. It is possible this claim is a hoax.

gavincampbell · December 27, 2019, 12:02am

Their cameras are rebranded chinese cameras that you can get a hacked firmware for to work without having to depend on any clound services if you want. But then you have to have trust in the chinese product. My neighbour bought one and said it worked nicely. But he doesn't care if it goes through servers not located in NA.

Wyze cameras were just so cheap for the simple use cases I had though.

gavincampbell · December 27, 2019, 12:02am

Still not sure if its a hoax or not but at least they replied saying they are investigating. So we shall see.

Tim-in-Ca · December 27, 2019, 12:28am

It’s best to enable two factor authentication where possible. Hopefully passwords weren’t compromised

JasonJoel · December 27, 2019, 1:35am

Eh. Everyone should be using unique passwords per site/service these days anyway. So change that one password and move on.

Seems like I've been changing 1-2 passwords a week due to breaches lately.

gavincampbell · December 27, 2019, 2:20am

Lots of details here. Looks like they are expiring all tokens (or something) forcing everybody to log back in. But then their twitter mentioned 2fa issues due to too many logins.

Edited: A data breach has yet to be confirmed by the Wyze team.

JasonJoel · December 27, 2019, 1:39pm

Well, if they are expiring tokens, then they must think something happened - whether they are saying it is a breach or not.

Of course, if there was no actual breach then Twelve Security will be out of business (if that is even a thing with a "blog website") any time now. But that is what they deserve if they report mis-information anyway, so no sympathy here.

Though IPVM said they found one of their staff's data in the dump - so that is at least a source external from "Twelve Security" corroborating it.

denise.grider · December 28, 2019, 12:56am

I have been using the Dafang hack on my 5 Wyze cameras, and it has been great. I even contributed to the code base . It's been over a year since I bought the cameras (V2 and Pan) so not sure if the Dafang hack still works with newer cameras.

We have the cameras set up inside the house for monitoring when we aren't home, so definitely wanted something that is never exposed to the internet. I can use a VPN to login to our network to view the cameras when we are away or use the images with refresh on the Hubitat dashboard, which is usually good enough.

Navat604 · December 28, 2019, 4:49pm

Here's a comment from the Wyze staff.

" Today, we are confirming that some Wyze user data was not properly secured and left exposed from December 4th to December 26th.

We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened.

The vulnerability started December 4th and did not involve any of our production data tables. While significant, this database only contained a subset of data. It did not contain user passwords or government-regulated personal or financial information. It did contain customer emails along with camera nicknames, WiFi SSIDs, Wyze device information, body metrics for a small number of product beta testers, and limited tokens associated with Alexa integrations."

JasonJoel · December 28, 2019, 4:53pm

Let the lawsuits/fines begin if it contained UK user data.

marktheknife · December 29, 2019, 2:43pm

I wonder what they were doing with this. Maybe trying to recognize specific individuals so the system can decide whether to generate a notification.

ogiewon · December 29, 2019, 2:47pm

I believe that Wyze is beta testing a Smart Scale device. That would explain the body metrics data for a small number of users.