Wyze- a security camera manufacturer admitted to a mistake that cost more than a million users’ personal data to be exposed on the web. According to Wyze, while no passwords or financial information was exposed, user data like email addresses, Wi-Fi network IDs and body metrics were left unprotected between December 4 and December 26, 2019.
The incident happened due to a misconfigured Elasticsearch database containing data generated by more than 2.4 million Wyze customers, which the company blamed on one of its employees. The company said it will still continue investigating the lack of appropriate security standards in the datasets.
Elasticsearch is a scalable open-source full-text search and analytics engine which lets users store, search and analyze large volumes of data swiftly and in near real-time.
How Did The Incident Happen At Wyze?
The incident took place during an internal project to determine more efficient ways to measure the business metrics like device activations, failed connection rates, etc. This meant replicating data from the main production servers into a more flexible database, which is easier to query. Queries on large volumes of such are compute-intensive which could impact user product experience if being done on the main database. To perform processing without any system lag, the separate subset of data was transferred into a different database.
The data was exposed to the web unencrypted while it was being transferred to a new database to make the data easier to query. This happened because an employee had wiped out previous security protocols during the process due to an accidental error. The new database only had a subset of data and did not include any user passwords, government-regulated personal data, or financial information — revealed the company’s co-founder Dongsheng Song.
Wyze Incident: What Was Exposed?
So far the company has only accepted that the data which was left exposed to the web and has mentioned that there is no evidence the data was actually breached. Also, the company further reported that data that was exposed includes health data metrics, email addresses, Wi-Fi network IDs, limited tokens associated with Alexa integrations. Users have been asked to log back in and relink Alexa, Google Assistant, or IFTTT integrations so that new tokens can be generated and users’ data is no longer exposed. Users have also been asked to be cautious against phishing attacks as hackers may have access to user names and email IDs, which could be used to steal credit card information.
As far as the main login tokens are concerned, the company stated there was no evidence that log in tokens had been exposed. Nevertheless, users have been signed out of their accounts as a precaution so new login tokens are generated. The company is also working towards ramping up which would include two-factor authentication for its users, as well as rebooting the cameras shortly. Wyze mentioned that would have an extra level of protection to its system databases along with adjusted multiple permission rules and an included precaution to only permit certain whitelisted IPs for accessing the databases.
“We’ve often heard people say ‘you pay for what you get,’ assuming Wyze products are less secure because they are less expensive. However, this is not true. We’ve always taken security very seriously, and we’re devastated that we let our users down like this. This is a clear signal that we need to totally revisit all Wyze security guidelines in all aspects, better communicate those protocols to Wyze employees, and bump up priority for user-requested security features beyond 2-factor authentication,” according to co-founder Song.
Seattle-based Wyze Labs is looked upon as a highly affordable, smart home camera manufacturer, selling smart security cameras at a price as cheap as $20 compared to cameras from other vendors with the same features — such as Amazon’s Cloud Cam that costs over $100. Critics have claimed that due to the cheap prices of the cameras, the company hasn’t taken security seriously. But, this has been denied by Wyze co-founder in a blog post.
The Wyze data exposure is not an isolated incident involving security leaks during analytics. In the past, we have seen a similar Suprema biometric mass leak which has exposed Elasticsearch records.