Monday, December 30, 2019

Smart Device Maker Wyze has a data breach of 2.4 million users info.

https://www.marketwatch.com/story/smart-device-maker-wyze-confirms-data-breach-that-could-affect-millions-2019-12-29

Original Source: https://blog.12security.com/wyze/

  • User name and email of those who purchased cameras and then connected them to their home
  • 24% of the 2.4 million users are in the EST timezone (the rest are scattered across the remaining zones of the US, Great Britain, UAE, Egypt, and parts of Malaysia)
  • Email of any user they ever shared camera access with such as a family member
  • List of all cameras in the home, the nicknames for each camera, device model and firmware
  • WiFi SSID, internal subnet layout, last on time for cameras, last login time from app, last logout time from the app
  • API Tokens for access to the user account from any iOS or Android device
  • Alexa Tokens for 24,000 users who have connected Alexa devices to their Wyze camera
  • Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake, and other health information for a subset of users

Follow up article: https://blog.12security.com/wyze-essay-2-aresflare/

[...]the source code has multiple databases the addresses were hardcoded into. This is significant because these servers were left open on the public internet (no firewall that restricts say access to just a few IP addresses that passwords were allowed to come from). So the address was all you needed to get started bruteforcing a correct password combination into the database. This was neither needed or done because the credentials for accessing these databases were hardcoded AS WELL into the source code. Yet even this was unnecessary to access the database because if one simply logged in without any password...the database immediately granted access.

I will stop at this point to note that only the databases hosted in mainland China did appear to have protection, and the US databases did not appear to have passwords (although they might very well have on other interfaces we did not see). It’s strange that they seem to be protecting data in China more than data in the United States and this should be noted.

Also, it is interesting where the second Git server was hosted (https://git.wyzecam.com). Not only was it in mainland China, but in an IP space that is usually not seen for hosting “civilian” applications. It was out of Shanghai, where the most notorious of the Chinese Advanced Persistent Threat groups operate. Shanghai is a large city, but what matters more is that the telecom hosting the service indicates a location of Shanghai rather than the actual coordinates. As you can observe from the screenshot above, the server resides in an IP space owned by Beijing Kingsoft Cloud Internet Technology, or Kingsoft in ASN 59019.



Submitted December 30, 2019 at 09:41PM by cola-up https://ift.tt/2tXxE1Y
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)