Wyze has updated their post and confirmed details of the data leak.
This is a perfect time to vote for 2FA Apps on Wyze. Long over due as SMS is subject to port attack, etc.
I understand that this is only one aspect, but is one of the essential elements a service should support. https://forums.wyzecam.com/t/add-authenticator-app-s-for-2-factor-authentication-2fa/27960
Worth pushing for, but 2FA isn’t going to help if their employees are using a prod data snapshot in an insecure dev DB.
Their breach update mentioned “Elasticsearch” which sounds like an AWS term. I’m sure it would be most convenient spinning up a second cloud server to play on but here is maybe a case for having an air-gapped on-premise DB? Too old-school?
From their update:
“This is a clear signal that we need to totally revisit all Wyze security guidelines in all aspects, better communicate those protocols to Wyze employees, and bump up priority for user-requested security features beyond 2-factor authentication.”
Features beyond 2-factor?
Convenience is probably the culprit here. There have been a number of data breaches involving Elasticsearch servers. If I understand correctly, in most cases it was caused by developers creating an unsecured server instance “for convenience” then forgetting to add security when moving everything from development to production - and also forgetting that production will be accessible from the Internet.
Developing without any security is usually setting up for this kind of error. Of course I don’t know what actually happened here, but it fits a well established pattern.
Wyze is ex Amazon employees. They’re an Amazon shop through and through.
Beyond the customer information breach, I remain baffled about the usefulness of surveillance cameras for residential use. Considering the mounting location needed, their viewing angle rarely captures the bad-guy’s face. Even when the door-bell cameras capture a face, rarely does it provide any retribution.
I have 4 of them. 3 in the front area and 1 in the back yard. They are amazing. I wouldn’t go without them now that I have my 4 Arlo Pro cameras.
I own my own apartment - so, I only have to worry about the front and back entrances. I get good video quality, and it also has night vision. I get notice on my phone anytime someone/something sets off the front and back door cameras. And, I have 2 other cameras that cover the front yard in front of my apartment.
If something goes on, I can call the cops myself. Also, as a probation officer, I can look at the people who pass by my place during the day. I can make sure that no probationer I have is around my apartment looking for me, or trying to do something bad. I get threats sometimes, and it is invaluable to make sure I don’t have any unwelcome visitors - even when I am not home…
Any place I have internet or cell service, I can look at my apartment at any time of the day… I can always make sure nothing shady is going on.
Originally the doorbell was because my wife has reduced mobility, so it’s great that she can deal with people at the door without having to get up.
Also, we live in a rural area so she was concerned when alone at home (less of an issue now I’m home more). So there’s a cam at both doors. She got abuse from a cold-caller once and the video was very clear.
I have some fairly expensive equipment and tools in the old workshops that you can’t see from the house. Without rebuilding the workshops not much more I can do to improve the physical security, but a camera (and a sticker in the window advertising the camera) gives me some reassurance.
Finally, have some fish in a pond out the back. Turns out a short blast of the alarm is a great way of deterring predators. They don’t come back after a couple of visits
This is a case of ‘you get what you pay for’. CCTV we use have monthly FW updates, no online details stored, local recording (cloud if you need). Current entry level standard for CCTV is 6mp cameras with face detection, line crossing, object removal, motion alerts and plenty more. I’ll never understand why people go for these cheap options for something like this. I really wish Twit would stop pushing the dyi security systems. Fair enough if just a camera pointed at animals or yard. However if you want solid CCTV detection, hire a professional imo.
While i own my own apartment, I still have to deal with the HOA. To run wires outside could be an issue, and I would have to hire a company. The arlo pros with motion detection and instant notification - they work great. And, I could do it myself.
My girlfriend has a Wyze camera, because she only wants to know if maintenance people come in - that is good enough for her. I would not be happy with anything less than the Arlo system, however. I do not like the Wyze setup to change out what I have.
This is what the dashboard looks like on my screen - but when I watch any video, it does go full screen:
I guess everybody has a price-point they’re happy with. TBH though, I’ve never seen a ‘pro’ CCTV image and thought it looked high quality. Often the stuff the police publish when they are doing appeals look much worse than most consumer security cams/dashcams IMO.
Ars’ take on the leak:
So there were two major (and unforgivable) errors here:
- Creating a copy of the production database without anonymising the personally identifiable / private information.
- Failing to “properly secure” (probably just failure to secure) that database.
That’s neglecting the basics of information security.
Amen!! Amateur move and also maybe a lack of management overseeing the operation.
I worked with a company that worked with business licenses and tried to warn about that kind of activity, but they didn’t care. I still have a copy of secure data in all of the files that they left on my computer after I left. There is great divide between making something work and thinking about how it can break.
Would make a good email signature line for tech and manufacturing.
And today Xiaomi was shut down on Google’s Home system:
They changed updated the caching routine and suddenly people on low bandwidth connections could see other people’s cameras! It only affected around 1,044 Google Home users, who no longer had access and a smaller number of them were on low-bandwidth connections and lost access to their images…
(Users of Xiaomi’s Mi Home app weren’t affected, it was just the interface to Google)
Edit: Added here, because it is a similar topic and only a handful of people were affected, so it extends this conversation, but I don’t feel it warrants its own thread.