Tuesday, 31 December 2019

Security Camera Maker Wyze Admits to 23-Day Data Breach

Internet connected home security cameras have become a big business with companies like Google’s Nest and Amazon’s Ring dominating the high-end market. However, there are also numerous smaller players like the budget-minded Wyze. This company attracted attention for its $20 security camera and other super-cheap smart home products. However, Wyze now admits it suffered a serious security breach in December. 

Wyze security cameras don’t have batteries, 4K resolution, or advanced AI like some devices on the market, but they’re cheap enough that you can keep an eye on your humble abode for a relative pittance. Whereas a 1080p Wyze camera costs $20, the basic indoor Nest Camera costs $200. However, Nest has Google’s account security, which is among the most robust you’ll find. Wyze recently made a grave error when it left a repository of user data wide open for several weeks. 

The saga started last week when consulting firm Twelve Security reported that it discovered a copy of Wyze’s database accessible online. Wyze later confirmed the scale of the breach in an email to consumers. The data included camera names, Wi-Fi SSIDs, activation times, and access tokens for mobile apps and Alexa. Passwords and stored recordings were not part of the breach. Reports indicate about 2.4 million users were put at risk. 

Wyze says the database was accidentally copied to an insecure location by an employee. The company doesn’t believe anyone’s login data is compromised, but the availability of login tokens could have allowed a determined third-party to hijack accounts. As a precaution, Wyze logged everyone out and reset tokens. 

Unsecured Wyze databases, via Twelve Security.

Twelve Security says the database was accessible between December 4th and the 26th, but that’s not the only issue. The company also claims Wyze is routing traffic through Alibaba’s servers in China, which will no doubt set off alarm bells for some US consumers. Wyze, however, denies this claim. Twelve Security also says Wyze’s US servers were never as secure as its Chinese servers, suggesting user data might have been accessible in some form all the way back in January 2019. Wyze has yet to respond to that, but it continues to investigate. 

While devices like Wyze cameras can be appealing, it’s important to remember they aren’t bulletproof. This is far from the first time a camera maker has had a data breach, and it won’t be the last. It’s probably a good idea to make sure these devices aren’t pointed at anything you wouldn’t want revealed.

Now Read:



from ExtremeTechExtremeTech https://www.extremetech.com/internet/303955-security-camera-maker-wyze-admits-to-23-day-data-breach

No comments:

Post a Comment