- Joined
- May 15, 2016
- Messages
- 10,358
- Likes
- 2,620
- Points
- 1,730
For three weeks, the database of customer information from Wyze, an Internet of Things device manufacturer, remained publicly available. Again, this is an incorrectly configured Elasticsearch database.
Three weeks of sharing
Wyze Labs, a world-renowned provider of Internet of Things solutions, acknowledged that the data of a significant number of its customers for three weeks were in the public domain. The Elasticsearch database was incorrectly configured on one of the company's servers, and this could lead to the compromise of the data of 2.4 million customers.
Wyze manufactures smart home devices and wireless cameras, so most of the potential victims are private users.
According to Twelve Security, the database was publicly available on December 4, 2019, and remained publicly available until December 26. The names and mailing addresses of buyers of Wyze wireless cameras, as well as their family members who were given access to the camera control panel, a list of all cameras installed in each particular house, with information about their designation, model and firmware version, SSID identifiers, were unprotected. Wi-Fi networks, details on turning on cameras and entering control applications, API tokens for 24 thousand users who connected their Alexa devices to Wyze cameras. In addition, the database contained private medical information about some of the users. Twelve Security claims that the database has such details,
Twelve Security experts also point out that they managed to find API tokens that would allow hackers to access Wyze user accounts from any iOS or Android device.
Leakage data was independently confirmed by the authors of the IPVM blog, which specializes in tracking tools.
You did not give us a chance!
Wyze co-founder Dongsheng Song, for its part, admitted the leak, but noted that Twelve Security and IPVM disclosed the leak, not giving Wyze time to fix the problem. On the evening of December 26, 2019, Wyze received information from one of the authors of IPVM.com, and after 15 minutes, the incident was already posted on Twitter.
Moreover, according to Song, not everything in the IPVM publication is true: for example, information from Wyze does not go to the Alibaba cloud in China, and as for medical information, it was received only from 140 participants in beta testing of the new product, which developed by Wyze. The company also denies collecting information about bones and the consumption of user proteins.
According to Wyze itself, the database was created for internal use, and it turned out to be publicly available due to a mistake made by a single employee.
All users of Wyze products have their authorization tokens revoked, that is, they will have to re-enter the control panels of their devices. The integration of Wyze cameras with Alexa, The Google Assistant and IFTTT has also been canceled: they will need to be reconnected. In addition, the company is changing the security settings for its cameras, so in the coming days they will have to be restarted.
Three weeks of sharing
Wyze Labs, a world-renowned provider of Internet of Things solutions, acknowledged that the data of a significant number of its customers for three weeks were in the public domain. The Elasticsearch database was incorrectly configured on one of the company's servers, and this could lead to the compromise of the data of 2.4 million customers.
Wyze manufactures smart home devices and wireless cameras, so most of the potential victims are private users.
According to Twelve Security, the database was publicly available on December 4, 2019, and remained publicly available until December 26. The names and mailing addresses of buyers of Wyze wireless cameras, as well as their family members who were given access to the camera control panel, a list of all cameras installed in each particular house, with information about their designation, model and firmware version, SSID identifiers, were unprotected. Wi-Fi networks, details on turning on cameras and entering control applications, API tokens for 24 thousand users who connected their Alexa devices to Wyze cameras. In addition, the database contained private medical information about some of the users. Twelve Security claims that the database has such details,
Twelve Security experts also point out that they managed to find API tokens that would allow hackers to access Wyze user accounts from any iOS or Android device.
Leakage data was independently confirmed by the authors of the IPVM blog, which specializes in tracking tools.
You did not give us a chance!
Wyze co-founder Dongsheng Song, for its part, admitted the leak, but noted that Twelve Security and IPVM disclosed the leak, not giving Wyze time to fix the problem. On the evening of December 26, 2019, Wyze received information from one of the authors of IPVM.com, and after 15 minutes, the incident was already posted on Twitter.
Moreover, according to Song, not everything in the IPVM publication is true: for example, information from Wyze does not go to the Alibaba cloud in China, and as for medical information, it was received only from 140 participants in beta testing of the new product, which developed by Wyze. The company also denies collecting information about bones and the consumption of user proteins.
According to Wyze itself, the database was created for internal use, and it turned out to be publicly available due to a mistake made by a single employee.
All users of Wyze products have their authorization tokens revoked, that is, they will have to re-enter the control panels of their devices. The integration of Wyze cameras with Alexa, The Google Assistant and IFTTT has also been canceled: they will need to be reconnected. In addition, the company is changing the security settings for its cameras, so in the coming days they will have to be restarted.
Quote:
“Over the past couple of years, there have been many incidents where Elasticsearch publicly accessible databases were discovered on the Web that compromised hundreds of thousands to billions of records of varying degrees of confidentiality,” said Oleg Galushkin, CEO of SEC Consult Services. - All incidents are caused by the same problem: errors in the security settings made by employees of the leaked organizations. "Technical means are used to search for vulnerable databases, that is, automated search engines, so that repeated incidents of such incidents can be guaranteed."
“Over the past couple of years, there have been many incidents where Elasticsearch publicly accessible databases were discovered on the Web that compromised hundreds of thousands to billions of records of varying degrees of confidentiality,” said Oleg Galushkin, CEO of SEC Consult Services. - All incidents are caused by the same problem: errors in the security settings made by employees of the leaked organizations. "Technical means are used to search for vulnerable databases, that is, automated search engines, so that repeated incidents of such incidents can be guaranteed."