Wyze Massive Data Leak

By: John Honovich, Published on Dec 26, 2019

Wyze has exposed millions of user's data, as reported by Twelve Security, and confirmed by IPVM, who has spoken with Twelve Security and reviewed the records.

Update 12/27/2019: Wyze has now confirmed the leak.

In the past few years, Wyze's use has exploded as the company has offered an unprecedented combination of super low pricing (~$25 per camera), US marketing and their founder's expertise / experience from Amazon.

Twelve Security found Wyze's Elasticsearch databases publicly exposed, e.g., as the screenshot below demonstrates:

As Twelve Security declared:

both of their entire production databases have been left entirely open to the internet.

With 2.4 million users exposed, concluding that:

If this was intentional espionage or if this was gross negligence it still stands as a malicious action that must be answered with a decisive, external, and fast investigation by US authorities.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

We checked the records and, e.g., found devices and accounts we have used to test Wyze, e.g.:

We reached out to Wyze but have not heard back from them. Moreover, we found no post in Wyze's active forum yet but would expect that to come soon and will update accordingly.

Update 1: this has been shared on the Wyze Forum with Wyze saying they are looking into it: What is up with the data breach? - Ask the Community - Wyze Community

Update @12/26/2019 8:45pm ET: Wyze is calling this an 'alleged data breach' saying that they have not been able to verify it. Below are more examples of a user_id associated with an IPVM employees' Wyze device from this leak:

Update @12/27/2019: Wyze has now confirmed the leak, saying:

To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.

We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed.

While Wyze says 'some data', we found at least 40 million records in the leak. [Note: Typically there are many records per user, see our screenshot above of our own leaked records, so 'records' should not be conflated with total 'users'.]

Moreover, the leak was open to the public for more than 3 weeks, only being closed after Twelve Security's post was released.

Wyze concluded:

For now, we’ll say that we are very sorry for this oversight and we promise to learn from this mistake to make improvements going forward.

The closest example we have found, in physical security, is Suprema biometric mass leak which similarily exposed Elasticsearch records.

Impact Examined

On the positive side for Wyze, Wyze specializes in serving price-sensitive customers who tend to be less driven by cybersecurity concerns. So long as Wyze can continue to provide that price advantage, we expect their core market to be happy.

On the negative side, Wyze is becoming one of the largest home security providers and will likely and should draw scrutiny from public officials.

The normal tactic for companies in this situation is to say that it was just an error. While it is hard for outsiders to be certain what the cause is, the researcher who found this concluded that "there are clear indications that the data is being sent back to the Alibaba Cloud in China". Moreover, Wyze has extensive PRC China connections include all of its manufacturing done in the PRC.

Update: Wyze's explanation that it had copied millions of user records and left them publicly available for weeks certainly falls under the error category. However, that is a combination of very serious errors that underscores challenges in Wyze's overall cybersecurity. Indeed, Wyze admitted that itself in his response:

This is a clear signal that we need to totally revisit all Wyze security guidelines in all aspects

How Wyze revisits and improves its cybersecurity will be an important factor in the company's evolution.

Wyze Challenges Growing

Wyze recently had a very public breakup with their analytics supplier, XNOR.ai, and is being sued by mega-manufacturer JCI. Combined with this massive data leak, Wyze is facing major challenges.

3 reports cite this report:

Stop Blaming Your Employee, Wyze on Dec 30, 2019
Wyze management is at fault for its massive data leak, not its 'employee', as it has centered the blame on. While blaming an employee is clever...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on May 02, 2018
This list compiles reported exploits for security products, and is updated regularly. We have summarized exploits by date and by manufacturer,...
Remote Network Access for Video Surveillance Guide on Feb 21, 2018
Remotely accessing surveillance systems is key in 2020, with more and more users relying on mobile apps as their main way of operating the system....
Comments (33) : PRO Members only. Login. or Join.

Related Reports

Bad: Dahua Villa Video Doorbell Tested on Jan 11, 2019
Doorbells are one of the hottest segments in the residential market but Dahua's Villa Video Doorbell is the worst we have tested.   We bought and...
Verint Victimized By Ransomware on Apr 18, 2019
Verint, which is best known in the physical security industry for video surveillance but has built a sizeable cybersecurity business as well, was...
Closed Cloud Cameras Trashed on May 13, 2019
When you buy a camera, do you own it? Not anymore. In the world of closed cloud cameras, you may think you are buying a camera but all you are...
Security Fail: ASISNYC Auto Emails Passwords In Plain Text on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the...
Honeywell Speaks On NDAA Ban, New Non-Banned Cameras and Cybersecurity on Aug 06, 2019
For years, Honeywell has depended on Dahua, a company with a poor cybersecurity track record and now banned by the US NDAA, for the development and...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
TMA Apologizes to Amazon / Ring on Aug 23, 2019
Not only is Amazon / Ring making major incursions into the residential security market, the organization representing the biggest incumbents, The...
3 Weeks Later, Honeywell Still Cannot Say Whether They Are Vulnerable To Dahua Wiretapping [Now Admits] on Aug 27, 2019
The Dahua wiretapping vulnerability and Dahua's decision to delay disclosing it until IPVM inquired underscored problems with cybersecurity and...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...
Stop Blaming Your Employee, Wyze on Dec 30, 2019
Wyze management is at fault for its massive data leak, not its 'employee', as it has centered the blame on. While blaming an employee is clever...

Most Recent Industry Reports

'Severe Impact' Mercury Security 2020 Leap Year Firmware Issue on Jan 17, 2020
One of the largest access controller manufacturers has a big problem: February 29th. Mercury Security, owned by HID, is alerting partners of the...
Apple Acquires XNOR.ai, Loss For The Industry on Jan 16, 2020
Apple has acquired XNOR.ai for $200 million, reports GeekWire. This is a loss for the video surveillance industry. XNOR.ai stunned the industry...
Installation Course January 2020 - Last Chance on Jan 16, 2020
Thursday, January 16th is your last chance to register for the Winter 2020 Video Surveillance Installation Course. This is a unique installation...
Halo Smart Vape Detector Tested on Jan 16, 2020
The Halo Smart Sensor claims to detect vaping, including popular brand Juul and even THC vapes. But how well does it work in real world...
PRC Government Entity Now Controlling Shareholder of Infinova / March Networks on Jan 16, 2020
A PRC government entity is now the controlling shareholder of US security manufacturer Infinova as well as its wholly-owned subsidiary March...
Network Cabling for Video Surveillance on Jan 15, 2020
In this guide, we explain the fundamentals of network cabling for video surveillance networks, how they should be installed, and the differences in...
ONVIF Trashed Statement, Confirms Dahua and Hikvision Still Suspended on Jan 15, 2020
ONVIF has 'trashed' the suspension statement for Dahua, Hikvision, Huawei, etc. but confirms to IPVM that those companies are all still...
Wyze Smart Door Lock Test on Jan 14, 2020
Wyze's inexpensive cameras have grabbed the attention of many in the consumer market, but can the company's new smart lock get similar...
Wesco Wins Anixter on Jan 13, 2020
Despite Anixter earlier arguing that Wesco's bid was inferior to CD&R's by nearly 10%, Anixter confirmed that they are taking Wesco's 3.1%...
Anixter Resisting Takeover From Competitor, Bidding War Emerges, Wesco Wins on Jan 13, 2020
Mega distributor Anixter is going to be acquired but by whom? Initially, Anixter planned to go private, being bought by a private equity firm....