My read is they are unable to confirm the published reports, but have decided to act as if they’re valid and reset customer access tokens.
They’re taking quick action. Good for them & their customers.
Explains why I lost control of all my Wyze bulbs yesterday, I searched for hours online looking for a cause and could not figure out what was going on. Wyze really needs to send out notifications to people when these things happen. Ah well, Thanks for the information. Good Find!
What’s with these journalists who publish first and only then raise the issue with the manufacturers?
I see there’s a class action now on the Ring stuff. How long before one of these reporters actually gets in trouble as a result of them publicising security weaknesses that are then exploited in the wild as a result?
Because to journalists clicks are everything, unfortunately. As with most things, the details and nuance is lost in the stories.
Something tells me they don’t care, whats the old saying? It’s easier to ask forgiveness than it is to get permission. They just want the views and the money or attention that draws, then deal with the repercussions later. Just my opinion though.
Something to be said about this action. Our users might have been hacked, we’re not sure, but let’s assume the worse. And then rather than just notifying users of a potential issue, they did something to protect their users.
Its great that they took action quickly to protect the users and I’m grateful for that. In the meantime I’m sitting at home thinking that they are having some sort of technical issue or the devices are malfunctioning because I couldn’t find anything online about this issue. But at least I found out in the end before I started removing, re-adding and setting up all of the 24 devices that I have that were not functioning.
I can understand that. I definitely think they should have notified users that they did something, but I still give them kudos for actually doing something, versus pointing the finger elsewhere.
Wyze is following through by mitigating the vulnerability so it doesn’t re-occur. This is what security researchers establish. It also seems to be part of their corporate culture and unfortinately means the customer comes second.
Right now it appears Twelve Security will be engaged first and then the fixes will be applied.
Journalists over here, most of Europe, are bound by ethics and the law, they have to report accurately and they cannot put people in danger through their reporting. A journalist would have had to speak with the affected party, Wyze, before publishing.
Aren’t there similar rules in the USA? Or is this a blogger and not a journalist?
@JamesC_HTAssets, @AaronK I suspect, or hope, they did two things in parallel. They capped access to compromised devices immediately, whilst the publicity department started work on informing users. Throwing the kill switch to stop the devices being compromised probably takes a few seconds to a few minutes. Writing a press release and information for customers, getting it corrected, signed off by management and passed by the lawyers takes much longer.
I don’t use their devices, so I didn’t look at their site during this time, or their Twitter feed, so I don’t know how long it took, before they went public, but that blog post, for example, must have taken a couple of hours to write and get approved.
I’m not trying to protect Wyze here, I have no interest in them or their products, I was just trying to provide a view of how things probably work in such a company, if they are acting responsibly.
The big problem is that they were first informed after the piece had been published, it appears. A responsible security researcher or journalist would have informed Wyze in advance and allowed them time to tackle the problem and then coordinate the release of the information. That would have meant that Wyze could have looked into the problem and coordinated the capping of access with the publishing of information on what was going on.
The blog didn’t act responsibly and forced Wyze to react as quickly as it could, by the look of it.
In my career, which wasn’t consumer-facing but had huge repercussions if any of the systems were compromised, we absolutely would not publicise any security issue and would tightly control comms. I think some of this consumer tech (and banking/finance stuff) is getting to the point that it needs similar policy and oversight.
Note that GDPR here mandates that organisations must notify of any breaches (to the ICO in the UK). They can be fined 4% turnover. Facebook dodged a bullet with Cambridge Analytica, that was pre-GDPR.
You forgot the within 72 hours of detection /being informed by an external source.
Yep. I assume Wyze now have to do this as they sell their products in the EU. UK Government had an interesting issue last night too
So I am not a corporate apologist, but this will sound like an apologist comment anyway, but I believe it to be true and this is how I run my personal information security. I believe you have to operate under the premise that anything and everything you use will eventually be hacked, because it will!! I do a lot of work in cyber security and the saying we have is “there are companies that have been hacked and know it, and companies that have been hacked but don’t yet know it”.
Literally every company and service has had or will have their time in the hacker spotlight. You must treat every service you use as a silo, even though they may be integrated, so when the hack happens (when, not if) it does not bleed over into other areas of your cyber life. I know I am preaching to the choir here, but while we have to push companies to do the right thing and build in the right tools, at no point can we rely on them for our information security.
Yes but this is one perspective and those one off hacking attempts are not as dangerous.
How about the hackers targetting law enforcement? That caused several issues both personal and on a political basis. The actions of which caused leaks of personal information and then because the hackers found good vulnerabilities by doing this, they were able to launch them at their own citizens.
In case you have not heard, Wyze sent this out to users this morning.
There is nothing we value higher than trust from our users. In fact, our entire business model is dependent on building long-term trust with customers that keep coming back.
We are reaching out to you because we’ve made a mistake in violation of that trust. On December 26th, we discovered information in some of our non-production databases was mistakenly made public between December 4th - December 26th. During this time, the databases were accessed by an unauthorized party.
The information did not contain passwords, personal financial data, or video content.
The information did contain Wyze nicknames, user emails, profile photos, WiFi router names, a limited number of Alexa integration tokens, and other information detailed in the link below.
If you were a user with us before we secured this information on December 26th, we regretfully write this email as a notification that some of your information was included in these databases. If you are receiving this email and joined us after December 26th, we write this email because you use our products and deserve to know how your data is being handled.
Upon finding out about the public user data, we took immediate action to secure it by closing any databases in question, forcing all users to log in again to create new access tokens, and requiring users to reconnect Alexa, Google Assistant, and IFTTT integrations. You can read in more detail about the data leak and the actions we took at this link:
As an additional security measure, we recommend that you reset your Wyze account password. Again, no passwords were compromised, but we recommend this as a standard safety measure. You may also add an additional level of security to your account by implementing two-factor authentication inside of the Wyze app. Finally, please be watchful for any phishing attempts. Especially watch any communications coming from Wyze and ensure they come from official @wyze.com and @wyzecam.com email addresses.
We are deeply sorry for this oversight. We promise to learn from this mistake and will make improvements going forward. This will include enhancing our security processes, improving communication of security guidelines to all Wyze employees, and making more of our user-requested security features our top priority in the coming months. We are also partnering with a third-party cyber security firm to audit and improve our security protocols.
As we continue our investigation into what happened, we will post future updates to the forum link above. More details will follow and we appreciate your patience during this process. Please reach out with any questions or concerns to our customer support team by going to support.wyze.com.
CEO @ Wyze