Wyze Massive Data Leak

By: John Honovich, Published on Dec 26, 2019

Wyze has exposed millions of user's data, as reported by Twelve Security, and confirmed by IPVM, who has spoken with Twelve Security and reviewed the records.

Update 12/27/2019: Wyze has now confirmed the leak.

In the past few years, Wyze's use has exploded as the company has offered an unprecedented combination of super low pricing (~$25 per camera), US marketing and their founder's expertise / experience from Amazon.

Twelve Security found Wyze's Elasticsearch databases publicly exposed, e.g., as the screenshot below demonstrates:

As Twelve Security declared:

both of their entire production databases have been left entirely open to the internet.

With 2.4 million users exposed, concluding that:

If this was intentional espionage or if this was gross negligence it still stands as a malicious action that must be answered with a decisive, external, and fast investigation by US authorities.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

We checked the records and, e.g., found devices and accounts we have used to test Wyze, e.g.:

We reached out to Wyze but have not heard back from them. Moreover, we found no post in Wyze's active forum yet but would expect that to come soon and will update accordingly.

Update 1: this has been shared on the Wyze Forum with Wyze saying they are looking into it: What is up with the data breach? - Ask the Community - Wyze Community

Update @12/26/2019 8:45pm ET: Wyze is calling this an 'alleged data breach' saying that they have not been able to verify it. Below are more examples of a user_id associated with an IPVM employees' Wyze device from this leak:

Update @12/27/2019: Wyze has now confirmed the leak, saying:

To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.

We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed.

While Wyze says 'some data', we found at least 40 million records in the leak. [Note: Typically there are many records per user, see our screenshot above of our own leaked records, so 'records' should not be conflated with total 'users'.]

Moreover, the leak was open to the public for more than 3 weeks, only being closed after Twelve Security's post was released.

Wyze concluded:

For now, we’ll say that we are very sorry for this oversight and we promise to learn from this mistake to make improvements going forward.

The closest example we have found, in physical security, is Suprema biometric mass leak which similarily exposed Elasticsearch records.

Impact Examined

On the positive side for Wyze, Wyze specializes in serving price-sensitive customers who tend to be less driven by cybersecurity concerns. So long as Wyze can continue to provide that price advantage, we expect their core market to be happy.

On the negative side, Wyze is becoming one of the largest home security providers and will likely and should draw scrutiny from public officials.

The normal tactic for companies in this situation is to say that it was just an error. While it is hard for outsiders to be certain what the cause is, the researcher who found this concluded that "there are clear indications that the data is being sent back to the Alibaba Cloud in China". Moreover, Wyze has extensive PRC China connections include all of its manufacturing done in the PRC.

Update: Wyze's explanation that it had copied millions of user records and left them publicly available for weeks certainly falls under the error category. However, that is a combination of very serious errors that underscores challenges in Wyze's overall cybersecurity. Indeed, Wyze admitted that itself in his response:

This is a clear signal that we need to totally revisit all Wyze security guidelines in all aspects

How Wyze revisits and improves its cybersecurity will be an important factor in the company's evolution.

Wyze Challenges Growing

Wyze recently had a very public breakup with their analytics supplier, XNOR.ai, and is being sued by mega-manufacturer JCI. Combined with this massive data leak, Wyze is facing major challenges.

3 reports cite this report:

Stop Blaming Your Employee, Wyze on Dec 30, 2019
Wyze management is at fault for its massive data leak, not its 'employee', as it has centered the blame on. While blaming an employee is clever...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on May 02, 2018
This list compiles reported exploits for security products, and is updated regularly. We have summarized exploits by date and by manufacturer,...
Remote Network Access for Video Surveillance Guide on Feb 21, 2018
Remotely accessing surveillance systems is key in 2020, with more and more users relying on mobile apps as their main way of operating the system....
Comments (34) : Members only. Login. or Join.

Related Reports

Clearview AI Alarm - NY Times Report Says "Might End Privacy" on Jan 20, 2020
Over the weekend, the NY Times released a report titled "The Secretive Company That Might End Privacy as We Know It" about a company named...
Apple Acquires XNOR.ai, Loss For The Industry on Jan 16, 2020
Apple has acquired XNOR.ai for $200 million, reports GeekWire. This is a loss for the video surveillance industry. XNOR.ai stunned the industry...
Stop Blaming Your Employee, Wyze on Dec 30, 2019
Wyze management is at fault for its massive data leak, not its 'employee', as it has centered the blame on. While blaming an employee is clever...
Verkada Notification Outage on Dec 12, 2019
Verkada is suffering an event notification outage and analytic search failures. Inside, we examine what the issues are, what Verkada told IPVM...
XNOR.ai Terminates Wyze on Nov 27, 2019
Wyze has shocked the industry again - this time with a major setback. Just months ago, Wyze triumphantly added AI analytics to their ~$20 cameras,...
3 Weeks Later, Honeywell Still Cannot Say Whether They Are Vulnerable To Dahua Wiretapping [Now Admits] on Aug 27, 2019
The Dahua wiretapping vulnerability and Dahua's decision to delay disclosing it until IPVM inquired underscored problems with cybersecurity and...
JCI Sues Wyze on Aug 21, 2019
The mega manufacturer / integrator JCI has sued the fast-growing $20 camera Seattle startup Wyze. Inside this note: Share the court...
Alarm.com Suffers Outage on Jul 26, 2019
Alarm.com suffered a major outage this week, impacting its 5+ million customers. Inside, we examine what happened, what Alarm.com told IPVM and...
UK Facial Recognition Essex Errors Report on Jul 05, 2019
Facial recognition trials in the UK have generated significant controversy and debate over the past few years. This week, it flared again when Sky...
Verint Victimized By Ransomware on Apr 18, 2019
Verint, which is best known in the physical security industry for video surveillance but has built a sizeable cybersecurity business as well, was...

Most Recent Industry Reports

YCombinator AI Startup Visual One Tested on Apr 02, 2020
Startup Visual One, backed by Silicon Valley's powerful Y Combinator, aims to be "Your 24/7 Watchman" with advanced analytics and object...
Free IPVM Memberships For The Unemployed on Apr 02, 2020
IPVM is giving 3-month free memberships (regular price $99) for the unemployed, no questions asked. To get it, just contact us, your request...
Dahua Faked Coronavirus Camera Marketing on Apr 01, 2020
Dahua has conducted a coronavirus camera global marketing campaign centered around a faked detection. Now, Dahua has expanded this to the USA,...
Video Surveillance Trends 101 on Apr 01, 2020
This report examines major industry factors and how they could impact video surveillance in the next 5 - 10 years. This is part of our Video...
USA's Seek Scan Thermal Temperature System Examined on Apr 01, 2020
This US company, Seek, located down the road from FLIR and founded by former FLIR employees is offering a thermal temperature system for the...
Terrible Convergint Coronavirus Thermal Camera Recommendation on Apr 01, 2020
A week after Convergint disclosed falling revenue, pay and job cuts, Convergint is touting 'extensive research' that is either grossly incompetent...
The IPVM New Products Online Show April 2020 Opens With 40+ Manufacturers on Mar 31, 2020
IPVM is excited to announce the first New Products Online show, with 40+ manufacturers, to be held April 14 to the 16th, free to IPVM members,...
USA's Feevr Thermal Temperature System Examined on Mar 31, 2020
This US company has burst on to the scene, brashly naming itself 'feevr' and branding itself as a "COVID 19 - AI BASED NON CONTACT THERMAL...
JCI Coronavirus Cuts on Mar 31, 2020
JCI has made coronavirus cuts, the company told employees in an email that IPVM has reviewed. Inside this note, we examine the cuts made, the...
Add Door Operators To Fight Coronavirus on Mar 31, 2020
IPVM recommends that integrators advocate and end-users consider adding door operators to fight the spread of coronavirus. This delivers...