I hear you; totally respectable.
I’m on the security side of things, and it’s not just my career - it’s my passion. I love tinkering with all these things in my free time, so I have quite a bit of first-hand experience with them, and can’t wait to play with the newest IoT devices.
I, for myself, think the @WyzeTeam is handling all this correct, for what the situation was given to them. I do think things could have been done to maybe prevent this, IF, the claims are true. But, many huge companies have messed up this part before.
As a developer myself, I put security first, but at the same time, I am not a security engineer, and I just follow best practices. Wyze pays a lot of money to keep the infrastructure up just for you to buy the product for as little as $20 for a camera. The cost to keep things maintained is a lot more. I would love to see a home solution instead of a cloud solution they could sell to us too. this would also give people options and allow for when their service stops, due to business or w/e reason, we as consumers can still use these products
Agreed. I work in Security and Incident Response, and have worked with Elasticsearch databases for many years now and securing access to the Elasticsearch database is in Configuration 101. Very concerning from a security and devops perspective how this slipped by and was not noticed.
I will also point out that, given this oversight, it is highly likely there is no detailed access log (or full network capture) in place and therefore it will be very difficult to “confirm” exactly what may have been compromised. I love Wyze as much as the next person, just bear in mind that an open Elasticsearch database exposed to the Internet is literally an open book and despite what Wyze may say as far “not being able to verify/confirm a compromise”, there very likely was.
Even once you get in don’t get to excited… I have 3 cameras 5 smart lights 2 door sensors and a motion sensor… although I have access to my account they are all unresponsive
Eloquently said. @WyzeTeam has handled this response very well. albeit yesterday email could have been more forthcoming.
If this could have been prevented on their end, this is a teachable moment, and like you said - far more capable companies have had similar or worse issues, even with all the resources at their disposal.
From Wyze: DreadPirateRushForum Moderator
Hi everyone, I’m closing this thread. Please see the below thread and continue the conversation there. Because everyone’s token was reset, the 2FA servers are being overloaded with people trying to log back in. It’s essentially now a DDOS by the user community.
tpowers215 comment: In today’s cloud world I hope you change architecture to add 2FA server capacity (as needed) to reduce or mitigate the risk of the user community causing a DDOS like activity.
Seconded, although not likely.
Totally agree my wife and I have discussed that many times
Wouldn’t we all!
The reality is, and no offense to Wyze here, all vendors are adopting the ol’ “razor and blades” business model. Give away the device for a steal (increase adoption amongst users), then hit them with the up-sell (eg cloud recording, other added benefits, etc…). And this my friends, cannot be done without us relying on their cloud.
EDITED: for clarity
In an incident like this, everything is considered insecure until such time that security can be re-established.
EDIT: changed word
I personally give thanks to Wyze team for acting quick on this issue.
I do believe that the real work starts after the remediation.
There are a lot of questions to be answered, and all wyze patrons are waiting for it. For this issue is a very serious matter whether it is a breach or carelessness in the part of Wyze.
IoT is the most overlooked in terms of security and being on the net is inevitable. Specially wyze is one of the fastest growing company. Wyze should have a road map in terms of security provided to users.
Now at the least, all or a lot of the usernames were exposed. I wont be surprised if there will be a brute force attack.
I’m sure there are a lot of members and users here that has a lot of knowledge and experience that can give their thoughts.
We are a community eager to help one another.
Again thank you so much and more power to Wyze.
I agree there’s a lot of upselling and subscription marketing in the industry, but I would disagree that Wyze has been part of it. Wyze has been selling cameras for almost 2 years with no subscription and no upsell, while continuing to add new free features. The only paid service they currently offer is a direct request from customers to allow longer cloud recordings and it’s very reasonably priced to cover Wyze’s cloud storage costs.
Oh gosh, I didn’t mean to imply anything negative about Wyze.
Yes, they sell great hardware at an even better price. And yes, they have only just begun selling additional services, but I implore everyone to not be naive as to why you cannot find a $20 stand-alone device not dependent on the cloud.
I wish Wyze all the success in the world; hell, I have sold many friends and family on these cams, and have helped install no less that 50 for said people.
If Wyze’s original business plan did not include recurring services as a means of revenue, I’d argue they aren’t very smart about business. And I’m saying just the opposite; of course added services for fee are part of that strategy…and they’ve just barely gotten to that point.
Not exactly, if you have multiple cameras. Ring Protect is $10/month or $100/year for “unlimited” devices.
Let me further illustrate my point. I, too, was looking for that “one-time” purchase, and backed this crowdfunded device many years ago: https://getpiper.com
It promised to be the all-in-one device with no recurring fees. And it was, until the original Canadian developer sold the business to a business, which later sold the intellectual property to ADP.
Does my device still work? Maybe; can’t say - as I’ve since replaced it with updated hardware. But I can tell you this - the minute the business sold, all investment in app development stopped, and now all they have is a landing page; they stopped selling them 2+ years ago.
woah, yea, that really stinks. I hope it doesn’t happen to Wyze, but, I mean, I was totally invested in the IRIS system, then they went full cloud, then they shut down. So, i understand, granted they paid me half for everything i bought, which was nice, before they shut down. I have the ring system and use the Wyze system to supplement specific needs. Ring IS a security company, unlike Wyze, and I use them as such. Wyze, I use to keep track of non-critical things.
Anyway, is there another forum or is there a wyze discord we can all talk about this stuff instead of filling this topic up with posts not related to the specific topic? (and because i think this is getting closed)
EDIT: it’s not being closed, I read that post wrong. Another post was closed and went here.
If it turns out that there’s something to the alleged breech, you’d probably be the first to complain that Wyze didn’t flush their sessions once they heard about it.
This was due diligence on the part of Wyze and any responsible company would have done the same.
FWIW, here is it that device’s original competitor: https://canary.is. Also available years ago on crowdfunded site as a “one-time” buy. I struggled in deciding which to fund, and went with the one that would deliver sooner.
Anyhow, long story short, they are still around, updating their app, introducing new hardware, and doing just fine business wise.
Can you guess the difference? When Canary came to market, 6-months later they introduced cloud recording/storage, etc…
EDIT: forgot link to referenced product
Oh, forgot - I dunno. I’m not on Discord, and though we are filling the thread with security banter, I’m not sure it’s inappropriate unless Wyze says otherwise (or closes the thread).