Wyze has updated their post and confirmed details of the data leak.
https://forums.wyzecam.com/t/updated-12-27-19-data-leak-12-26-2019/79046
1 Like
This is a perfect time to vote for 2FA Apps on Wyze. Long over due as SMS is subject to port attack, etc.
I understand that this is only one aspect, but is one of the essential elements a service should support. https://forums.wyzecam.com/t/add-authenticator-app-s-for-2-factor-authentication-2fa/27960
2 Likes
Worth pushing for, but 2FA isnāt going to help if their employees are using a prod data snapshot in an insecure dev DB.
3 Likes
Their breach update mentioned āElasticsearchā which sounds like an AWS term. Iām sure it would be most convenient spinning up a second cloud server to play on but here is maybe a case for having an air-gapped on-premise DB? Too old-school?
1 Like
From their update:
āThis is a clear signal that we need to totally revisit all Wyze security guidelines in all aspects, better communicate those protocols to Wyze employees, and bump up priority for user-requested security features beyond 2-factor authentication.ā
Features beyond 2-factor?
1 Like
Convenience is probably the culprit here. There have been a number of data breaches involving Elasticsearch servers. If I understand correctly, in most cases it was caused by developers creating an unsecured server instance āfor convenienceā then forgetting to add security when moving everything from development to production - and also forgetting that production will be accessible from the Internet.
Developing without any security is usually setting up for this kind of error. Of course I donāt know what actually happened here, but it fits a well established pattern.
Wyze is ex Amazon employees. Theyāre an Amazon shop through and through.
Beyond the customer information breach, I remain baffled about the usefulness of surveillance cameras for residential use. Considering the mounting location needed, their viewing angle rarely captures the bad-guyās face. Even when the door-bell cameras capture a face, rarely does it provide any retribution.
I have 4 of them. 3 in the front area and 1 in the back yard. They are amazing. I wouldnāt go without them now that I have my 4 Arlo Pro cameras.
I own my own apartment - so, I only have to worry about the front and back entrances. I get good video quality, and it also has night vision. I get notice on my phone anytime someone/something sets off the front and back door cameras. And, I have 2 other cameras that cover the front yard in front of my apartment.
If something goes on, I can call the cops myself. Also, as a probation officer, I can look at the people who pass by my place during the day. I can make sure that no probationer I have is around my apartment looking for me, or trying to do something bad. I get threats sometimes, and it is invaluable to make sure I donāt have any unwelcome visitors - even when I am not homeā¦
Any place I have internet or cell service, I can look at my apartment at any time of the dayā¦ I can always make sure nothing shady is going on.
4 Likes
Originally the doorbell was because my wife has reduced mobility, so itās great that she can deal with people at the door without having to get up.
Also, we live in a rural area so she was concerned when alone at home (less of an issue now Iām home more). So thereās a cam at both doors. She got abuse from a cold-caller once and the video was very clear.
I have some fairly expensive equipment and tools in the old workshops that you canāt see from the house. Without rebuilding the workshops not much more I can do to improve the physical security, but a camera (and a sticker in the window advertising the camera) gives me some reassurance.
Finally, have some fish in a pond out the back. Turns out a short blast of the alarm is a great way of deterring predators. They donāt come back after a couple of visits 
3 Likes
This is a case of āyou get what you pay forā. CCTV we use have monthly FW updates, no online details stored, local recording (cloud if you need). Current entry level standard for CCTV is 6mp cameras with face detection, line crossing, object removal, motion alerts and plenty more. Iāll never understand why people go for these cheap options for something like this. I really wish Twit would stop pushing the dyi security systems. Fair enough if just a camera pointed at animals or yard. However if you want solid CCTV detection, hire a professional imo.
1 Like
While i own my own apartment, I still have to deal with the HOA. To run wires outside could be an issue, and I would have to hire a company. The arlo pros with motion detection and instant notification - they work great. And, I could do it myself.
My girlfriend has a Wyze camera, because she only wants to know if maintenance people come in - that is good enough for her. I would not be happy with anything less than the Arlo system, however. I do not like the Wyze setup to change out what I have.
This is what the dashboard looks like on my screen - but when I watch any video, it does go full screen:
1 Like
Welcome Rastaroo 
I guess everybody has a price-point theyāre happy with. TBH though, Iāve never seen a āproā CCTV image and thought it looked high quality. Often the stuff the police publish when they are doing appeals look much worse than most consumer security cams/dashcams IMO.
3 Likes
Arsā take on the leak:
So there were two major (and unforgivable) errors here:
- Creating a copy of the production database without anonymising the personally identifiable / private information.
- Failing to āproperly secureā (probably just failure to secure) that database.
Thatās neglecting the basics of information security.
2 Likes
Amen!! Amateur move and also maybe a lack of management overseeing the operation.
1 Like
I worked with a company that worked with business licenses and tried to warn about that kind of activity, but they didnāt care. I still have a copy of secure data in all of the files that they left on my computer after I left. There is great divide between making something work and thinking about how it can break.
1 Like
Would make a good email signature line for tech and manufacturing.
1 Like
And today Xiaomi was shut down on Googleās Home system:
They changed updated the caching routine and suddenly people on low bandwidth connections could see other peopleās cameras! It only affected around 1,044 Google Home users, who no longer had access and a smaller number of them were on low-bandwidth connections and lost access to their imagesā¦
(Users of Xiaomiās Mi Home app werenāt affected, it was just the interface to Google)
Edit: Added here, because it is a similar topic and only a handful of people were affected, so it extends this conversation, but I donāt feel it warrants its own thread.
4 Likes