A specialist in smart health connected security products, Wyze recently experienced … a security breach. In recent weeks, data from 2.4 million community members has leaked. The start-up confirmed the rumors that ran on Thursday, December 26, 2019 through a blog note, in which it said it took 22 days to detect and correct the anomaly. Usernames, e-mail addresses, WiFi SSID numbers … These are nearly 40 million records that would have been stolen in this time.
A HUMAN ERROR AT THE ORIGIN OF THE INCIDENT
Founded in 2017 by four former Amazon engineers, the company offers user data sorting technology called ElasticSearch. It was through this server that hackers were able to gain access to such a database. "It’s to help us manage Wyze’s extremely rapid growth that we launched this new internal project, with the aim of finding better ways to measure our core indicators", justified his leadership.
Concretely, ElasticSearch copied customer data from the main production servers to integrate it with "a more flexible and easy to query database". A procedure "protected from its creation", said the company, which agrees that a "human error has been committed".
According to her, on December 4, one of her employees accidentally deleted the said security protocols while manipulating the database. "We are still studying this event to understand why and how it could have happened", she continued. It was, in fact, not she, but rather the cybersecurity consulting firm Twelve Security who discovered the leak.
THE INVESTIGATION SHOULD BE TAKEN FURTHER
According to Wyze management, no API token was exposed during the attack … contrary to claims by Twelve Security, which claims to have found it during its research. However, this is an important fact to take into account: if this were confirmed, it could mean that hackers had access to user accounts linked to devices running Android or iOS.
The company also refuted the fact that the stolen data passed to Alibaba Cloud servers located in China and that health data is concerned. Faced with its contradictions, Wyze decided to force the disconnection of all user accounts. The company is committed to "review its security policy" to encourage strong authentication. A minimum to convince.
As the number of smart health connected objects in circulation explodes, there are increasing concerns about their safety. The FBI recently delivered advice to users to protect themselves from attacks, while researchers are developing tools to effectively combat this scourge.