Home Tech Apps Privacy scare leads Wyze to unpair all devices from Google Assistant and...

Privacy scare leads Wyze to unpair all devices from Google Assistant and Alexa, you’ll need to add them back (Update: Further responses)


Smart home appliance maker Wyze has responded to what it calls an “alleged” data breach against its production databases by logging all users out of their accounts and has strengthened security for its servers. Customers endured a lengthy reauthentication process as the company responded to a series of reports claiming that the company stored sensitive information about people’s security cameras, local networks, and email addresses in exposed databases.

Texas-based Twelve Security, a self-described “boutique” consulting firm, posted the claim of a breach against Wyze’s two Elasticsearch databases on Medium yesterday. The unsecured data is said to have come from 2.4 million users. A plurality of them are located on the east coast of the United States, though data was sourced from across the country as well as in the United Kingdom, the United Arab Emirates, Egypt, and parts of Malaysia.

The dataset included any email addresses that have been registered to or shared access to a camera, the models, firmware versions, and assigned names of every cameras in a household, time of devices’ last activation, times of users’ last login and logout, account login tokens for users’ Android and iOS devices, camera access tokens for users’ Alexa devices, Wi-Fi SSID, and internal subnet layout. A particular subset of users who gave or have had tracked their height, weight, gender, bone health, and protein intake information may have had those data exposed as well. Twelve Security also noted that there were “clear indications” that data was being trafficked through Alibaba Cloud servers in China.

Video surveillance news blog IPVM followed up with Twelve Security and was able to spot accounts and devices linked to its staff who reviewed Wyze products.

Twelve Security opted not to notify Wyze before going public with its claims on suspicion of either the company’s gross negligence or a concentrated espionage effort, based on the alleged Alibaba Cloud link as well as a previous security blunder where Alexa users could view camera feeds from devices they’ve resold to other people — that vulnerability has since been patched.

In a bulletin on its community forums, Wyze stated that it was notified by IPVM late yesterday morning and has failed to verify a breach. It also denied any association with Alibaba Cloud.

The company said it decided out of caution to adjust access permissions for its databases and wipe all active login tokens — this also cleared users’ Alexa, Google Assistant, and IFTTT integrations as well. Customers who employed two-factor authentication complained shortly after the token refresh that their login attempts were denied due to various errors. Wyze updated its bulletin late last night to report it had fixed the 2FA login process.

The Seattle-based Wyze sells smart plugs, lights, security cameras, and the like at prices well below its competition. It’s able to do so by turning to vendors for advanced software features — Xnor.ai recently canceled its contract with Wyze to provide its cameras with subject detection — and vesting a number of resources, including manufacturing, in China. While we’d like to see more details come along, Twelve and IPVM’s reporting to this point may cast doubt, at the very least, on how Wyze handles its resources.