Yeah. that was a real !@#!@ move by the researcher. not even attempting to contact the vendor (wyze) first… I’ve had to do a few public / new paper disclosures in what I’ve found previously, but I’ve always reached out the vendor multiple times before I did a publc disclosure.
It was an insecure ElasticSearch server (not the underlying database, but an indexing/caching/sub-record) technol[ogy. It’s a COMMON problem where people do not secure them properly (so why it happened is a BIG question). it was exposed for almost a month (at least) as well… the last “check” on one vendor was dec 4th…
I’ve come across many of these, and done disclosures to the vendors on the major ones. for a company with 2.4M users this should have been standard practice to be discovering/monitoring this on a weekly basis
2 Likes
Oops, yes, thank you for the correction; not the db - my mistake.
That said, it does not negate my earlier points:
-
It should not have been available via the public WAN, and,
-
the credentials people use in the app have nothing to do with it.
Yes! At a minimum, Wyze should be performing external port scans…
I knew what you meant 
Wyze as a camera company should have Security upfront, but I think people have been pushing Wyze for features instead. Wyze should still put Security first with all new features and improvements.
2 Likes
STAY ON TARGET:
- Leak became known to @WyzeTeam and they acted swiftly to mitigate any potential issues. This included forcing a re-authentication of every user. Good on them.
- They’re investigating, because the sources reporting the alleged leak are questionable.
- They need to improve the 2FA system, as it clearly could not handle this situation. Thusly: [Updated 02-13-20] Data leak 12-26-2019 - #257 by holocron
3 Likes
Hey, thanks!
Yup, with IoT and cloud everything, it shouldn’t matter if it’s a smart lock, camera, light bulb, or toilet plunger - security is paramount, and manufactures of these devices have a responsibility to create and maintain an internal culture of security awareness.
Devs need to dev with security in mind, as do network/cloud/ops engineers…hell, since people are overwhelmingly the weakest link in the chain, everyone from the CEO to the water boy need to mind security in these types of operations.
1 Like
Yes, you are correct. But with all due respect, since all the “I can’t login” users have left the thread, no harm in the conversation the security-minded folks are having here.
I wish I had it all figured out. I work in IT, not security, but I am familiar enough with basic security concepts. Part of what I do is process improvement, troubleshooting, and looking for potential issues with given technologies before they happen. I’m often the “this won’t work because…” guy. So yeah, part of what I do is predict and foresee problems with technologies, processes, etc…
I haven’t implemented any real smart devices simply because of all the issues that have been discussed on this thread.
And despite working in IT, I’m also old enough to remember the days before remote control TVs, before consumer grade microwave ovens, when phones were rotary dial, etc… so seeing the increasing reliance on technologies that are relatively easily hacked or are dependent on someone else’s security or provide all of our personal details including allowing unknown people from random companies to listen to every word we speak, in some cases watching what we do inside our homes, etc… has been a little sobering for me and has led me to be overly cautious in allowing these things inside my home.
It’s bad enough dealing with potential security breaches and problems at work. I don’t want to do that at home. To me IT is how I make a living, not a hobby that I actually enjoy. When I’m home, the last thing I want to do is the same thing I do at work.
I hear you; totally respectable.
I’m on the security side of things, and it’s not just my career - it’s my passion. I love tinkering with all these things in my free time, so I have quite a bit of first-hand experience with them, and can’t wait to play with the newest IoT devices.
I, for myself, think the @WyzeTeam is handling all this correct, for what the situation was given to them. I do think things could have been done to maybe prevent this, IF, the claims are true. But, many huge companies have messed up this part before.
As a developer myself, I put security first, but at the same time, I am not a security engineer, and I just follow best practices. Wyze pays a lot of money to keep the infrastructure up just for you to buy the product for as little as $20 for a camera. The cost to keep things maintained is a lot more. I would love to see a home solution instead of a cloud solution they could sell to us too. this would also give people options and allow for when their service stops, due to business or w/e reason, we as consumers can still use these products 
3 Likes
Agreed. I work in Security and Incident Response, and have worked with Elasticsearch databases for many years now and securing access to the Elasticsearch database is in Configuration 101. Very concerning from a security and devops perspective how this slipped by and was not noticed.
I will also point out that, given this oversight, it is highly likely there is no detailed access log (or full network capture) in place and therefore it will be very difficult to “confirm” exactly what may have been compromised. I love Wyze as much as the next person, just bear in mind that an open Elasticsearch database exposed to the Internet is literally an open book and despite what Wyze may say as far “not being able to verify/confirm a compromise”, there very likely was.
3 Likes
Even once you get in don’t get to excited… I have 3 cameras 5 smart lights 2 door sensors and a motion sensor… although I have access to my account they are all unresponsive
Eloquently said. @WyzeTeam has handled this response very well. albeit yesterday email could have been more forthcoming.
If this could have been prevented on their end, this is a teachable moment, and like you said - far more capable companies have had similar or worse issues, even with all the resources at their disposal.
From Wyze: DreadPirateRushForum Moderator
Hi everyone, I’m closing this thread. Please see the below thread and continue the conversation there. Because everyone’s token was reset, the 2FA servers are being overloaded with people trying to log back in. It’s essentially now a DDOS by the user community.
tpowers215 comment: In today’s cloud world I hope you change architecture to add 2FA server capacity (as needed) to reduce or mitigate the risk of the user community causing a DDOS like activity.
Truth.
Seconded, although not likely.
2 Likes
Totally agree my wife and I have discussed that many times
Wouldn’t we all!
The reality is, and no offense to Wyze here, all vendors are adopting the ol’ “razor and blades” business model. Give away the device for a steal (increase adoption amongst users), then hit them with the up-sell (eg cloud recording, other added benefits, etc…). And this my friends, cannot be done without us relying on their cloud.
EDITED: for clarity
In an incident like this, everything is considered insecure until such time that security can be re-established.
EDIT: changed word
I personally give thanks to Wyze team for acting quick on this issue.
I do believe that the real work starts after the remediation.
There are a lot of questions to be answered, and all wyze patrons are waiting for it. For this issue is a very serious matter whether it is a breach or carelessness in the part of Wyze.
IoT is the most overlooked in terms of security and being on the net is inevitable. Specially wyze is one of the fastest growing company. Wyze should have a road map in terms of security provided to users.
Now at the least, all or a lot of the usernames were exposed. I wont be surprised if there will be a brute force attack.
I’m sure there are a lot of members and users here that has a lot of knowledge and experience that can give their thoughts.
We are a community eager to help one another.
Again thank you so much and more power to Wyze.