Post updated at 6 p.m. on Dec. 29.
Seattle-area startup Wyze, a provider of home video cameras and other Internet of Things (IoT) devices, announced on Dec. 26 that it had been informed of a “data leak” that reportedly exposed the personal information of 2.4 million of its customers.
The problem arose from “a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.,” writes Dongsheng Song, Wyze co-founder and chief product officer, in the company’s post.
“We copied some data from our main production servers and put it into a more flexible database that is easier to query,” he explains. “This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed.”
Founded in 2017 by a group of Amazon veterans, Wyze offers a series of low-priced cameras, plugs, bulbs and other smart-home devices. The company, based in Kirkland, Wash., has raised $20 million in venture capital. GeekWire has contacted Wyze for additional comment.
To Wyze’s credit, it has been very detailed in describing what happened, when, why, how, and what the company is doing about it.
A post by Twelve Security claimed that the leaked data included the following:
- User name and email of those who purchased cameras and then connected them to their home
- Email of any user they ever shared camera access with such as a family member
- List of all cameras in the home, nicknames for each camera, device model and firmware
- WiFi SSID, internal subnet layout, last on time for cameras, last login time from app, last logout time from app
- API Token for access to user account from any iOS or Android device
- Alexa Tokens for 24,000 users who have connected Alexa devices to their Wyze camera
- Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake, and other health information for a subset of users
Wyze quoted that list in its original post but added, “We don’t collect information about bone density and daily protein intake even from the products that are currently in beta testing.”
In looking over this event, there are ten key security and privacy takeaways.
1) Another argument over “responsible disclosure”
Wyze has been upfront about the manner in which it was informed of the leak, with little or no time to mitigate the problem before it was made public. ZDNet’s Catalin Cimpanu summed up the feelings of many (likely including Wyze) about whether this disclosure was “responsible” or not.
This is not how “responsible disclosure” works.
In the past, I’ve waited weeks for some companies to secure servers.
These guys couldn’t wait a f***ing day. Talk about being unprofessional.
14 minutes (my bad, not 9) means you didn’t actually care about disclosure at all pic.twitter.com/EWmV33rQD6
— Catalin Cimpanu (@campuscodi) December 29, 2019
These are valid and reasonable concerns. As is often the case regarding the “disclosure wars,” there likely won’t be any resolution, but instead a renewed airing of both sides of the argument. Those supporting the disclosure can and will say the information was public for a number of days and holding that information back prolongs the risk. Those against it will say this just wasn’t enough time for the vendor to take action. Either way, this situation shows that the disclosure wars will continue so long as there’s no collective agreement on how to handle these situations.
2) Wyze moved quickly to respond
One thing to Wyze’s credit: they clearly jumped on this fast once it broke. The company’s post states: “Immediately upon hearing about a potential breach, Wyze mobilized the appropriate developers and executives (CEO and CPO) to address the allegations.”
It adds later, “This means that all Wyze user accounts were logged out and forced to log in again (as a precaution in case user tokens were compromised as alleged in the blog post). Users will also need to relink integrations with The Google Assistant, Alexa, and IFTTT.”
This level of response and these steps are reasonable to address the risks around potentially lost authentication tokens. These are also actions that will impose a burden on users.
Going back to our first point, people can and will argue how much of this response is due to the nature of the disclosure. But these are good, concrete steps, which put security ahead of ease-of-use: Wyze is risking user frustration for better security.
3) But Wyze is not forcing password resets
One thing that Wyze isn’t doing, however, is forcing password resets on users. While Wyze has said that passwords weren’t stolen, it’s often hard to be certain. And if the current situation involving Amazon’s Ring has taught us anything, it’s that people are regularly reusing passwords, especially where IoT devices are concerned. Not forcing a password reset is missing an opportunity to be thorough in the response to improve overall customer security.
4) This is different and more serious than the Ring situation
Ring has been in the news a lot lately for being “hacked.” As I’ve noted, the nature of those hacks boil down to the inherent weakness of relying on passwords. This situation is different because it’s a leak of data held by Wyze. In fact, it even appears that password information wasn’t involved.
In this case, even if you’ve used two-factor authentication (2FA), you still are at risk from this data breach.
If the Ring situation has reminded us of the risks of password reuse and the overall weakness of passwords as a security measure for IoT, this breach helps show us the risks inherent to losing the kind of data used byIoT and health-related devices in the home.
5) This shows what IoT data breaches can mean
By their very nature, IoT devices are integrated into our most intimate spaces. Cameras in particular represent a major window into our most protected personal spaces, as we’ve seen in the reactions to the Ring situation.
Looking at the information that’s potentially lost in this breach, we get a more concrete sense of IoT data breaches can mean in real terms.
In particular, Wyze notes that the data loss includes: “List of all cameras in the home, nicknames for each camera, device model and firmware. WiFi SSID, internal subnet layout, last on time for cameras, last login time from app, last logout time from app.”
This data is troubling because it can give very specific information that can be useful for real-world crime. People regularly name devices in ways that are descriptive for themselves, not expecting them to be publicly known. For example, people might name a camera in a child’s room “Betty’s Room.” Information like this can give an attacker information about who is in the house, where they might be and where cameras are going to be placed. All of this can be useful information for people who want to enter the home for malicious purposes.
One thing that Wyze has not recommended, which I would recommend, is that users rename their internal WiFi SSIDs, rename their cameras and potentially reposition those cameras. All these steps can mitigate the risks of that information now being publicly accessible.
6) IoT health data is VERY personal
Another piece of the exposed data is this: “Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake, and other health information for a subset of users.”
Wyze goes to some length to point out that this information lost only affects a very small subset of their users, specifically “140 external beta testers.” Yes, that is a very small number of people. But the information that’s was exposed is very sensitive and very personal health information. It’s a reminder of the nature of the data that’s being handled by IoT and health devices.
7) Similarities to the Capital One Breach
The similarities to the Capital One data breach are striking. In this case, as Wyze says: “a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed.”
While this isn’t exactly the same thing that happened with Capital One, in both cases you have data that was accessible in the cloud without appropriate security protections due to human error. It’s also notable that in both cases, auditing and monitoring failed to catch the misconfiguration.
Both of these cases are a reminder that, unfortunately, when things are deployed to the cloud, the risks of exposure and breach are frequently greater. And in terms of IT operations and practice, the controls and countermeasures often aren’t as robust and mature for cloud deployments as they are for traditional “on premises” deployments.
8) Speed kills
For startups, there are two lessons, as well. One is cautionary and the other potentially positive.
First the cautionary tale: speed kills.
Once again, to its credit, Wyze is open about what happened, and there’s a very clear message for startups. From the company’s posting: “To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc. We copied some data from our main production servers and put it into a more flexible database that is easier to query.”
Two things happened here that are common for startups. First, the company experienced sudden, fast growth. Second, it moved quickly to address the implications of the growth.
As noted above, it was during this “fast move” that, at some point, the security that had protected the data was removed by an employee.
It’s great that Wyze was able to move fast to address issues related to their fast growth. But this is also a reminder that speed can kill. Mistakes happen when things move fast and there’s little checking. This is a risk that all startups face and should be conscious of.
9) Speed can save you
Of course, the speed that can kill you as a startup can also save you. The fast response that we see from Wyze is an example of the speed startups can achieve. Another positive aspect of this speed is shown in the statement that is going to “bump up priority for user-requested security features beyond 2-factor authentication”.
If we compare and contrast this with Ring’s response to its current situation, the difference is stark. Ring has made no announcements of any major plans to improve security capabilities in the wake of stories of Ring devices being hacked. By contrast Wyze has committed early and openly to reworking their prioritization of new user-requested security features.
Here too is another lesson for startups: use the speed and agility that being a startup gives you to move quickly to turn disadvantage into advantage.
10) Alarmist reactions over data and China
In its post, Wyze very clearly refuted the claim that it is sending data to Alibaba’s cloud in China. A question and answer in the post speaks directly to this:
Is there validity to the claim that Wyze is sending user data to China?
Wyze does not use Alibaba Cloud. The claim made in the article that we do is false.
It goes on to note that the company has employees and manufacturers in China, but “Wyze does not share user data with any government agencies in China or any other country.”
The fact that this claim was made and Wyze feels a need to refute it points to another takeaway: there is an emerging, almost “McCarthyite” trend lately to imply or allege that tech companies with ties to China are storing data in China and/or sharing data with the Chinese government. We’ve seen similar insinuations in regards to TikTok as well.
Partly, this represents the sort of speculation that can fill a vacuum when companies don’t provide clear information themselves about where they store their data. A few years ago, people, especially in Europe, were concerned about data being stored in the United States and its possibly being subject to seizure under the Patriot Act. Now, people are concerned about data being stored in China and accessible by the government there.
One thing companies can do to mitigate this concern is to be open about where they store data.
Beyond that, though, there is clearly heightened concern now about data being stored and shared with China, and that concern is manifesting in claims and insinuations about data being stored or shipped there.
The Wyze breach is a serious one. And Wyze deserves credit for doing a lot of things right, quickly, in response. But as we dig into it more, we can see that this situation raises a number of issues around IoT devices, data storage, security and incident response.
We can all learn from this, which is one reason why it’s so good that the Wyze team has been open and up front about the situation: it helps the industry learn and grow collectively. And because Wyze is a startup, its experience and response has particular lessons for other up-and-coming companies in the IoT space.
Update: Wyze disclosed an additional issue in a Dec. 29 update to its post.
We have been auditing all of our servers and databases since then and have discovered an additional database that was left unprotected. This was not a production database and we can confirm that passwords and personal financial data were not included in this database. We are still working through what additional information was leaked as well as the circumstances that caused that leak.
We’ve also clarified our post above to note that Wyze says it doesn’t collect information about protein intake or bone density, contrary to a report that said such data was included in the leak.