Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Privacy

Security Camera Startup Wyze Leaked Data on Millions of Customers (cnet.com) 36

An anonymous reader quotes CNET: Security camera startup Wyze has confirmed it suffered a data leak earlier this month that left the personal information for millions of its customers exposed on the internet. No passwords or financial information was exposed, but email addresses, Wi-Fi network IDs and body metrics for 2.4 million customers were left unprotected from Dec. 4 through Dec. 26, the company said Friday.

The data was accidentally left exposed when it was transferred to a new database to make the data easier to query, but a company employee failed to maintain previous security protocols during the process, Wyze co-founder Dongsheng Song wrote in a forum post. "We are still looking into this event to figure out why and how this happened," he wrote...

Among the data exposed in the Wyze leak was the height, weight, gender and other health information for about 140 beta users participating in testing of new hardware, Wyze said.

This discussion has been archived. No new comments can be posted.

Security Camera Startup Wyze Leaked Data on Millions of Customers

Comments Filter:
  • What is the BEST security camera?

    My investigations have shown that Wyze is the best. But maybe Slashdot readers will have a better understanding.
    • Re: (Score:2, Offtopic)

      by cristiroma ( 606375 )
      Try this [wikipedia.org]
    • What is the BEST security camera?

      A very hungry and angry 70 pound Rottweiler. He'll see an intruder coming from a mile away.

    • These come with a very good AI
      https://media.wired.com/photos... [wired.com]

    • by rmdingler ( 1955220 ) on Sunday December 29, 2019 @04:45PM (#59568358) Journal

      A system you set up yourself, that's hardwired to a monitor, and is air gapped from any storage or access outside your own purview.

      There are many inexpensive quality cameras out there. Choose a unit rated for outdoor use that has weather resistance and good quality night vision.

      Sometimes a camera that doesn't look like a camera is helpful, depending on your individual security needs.

      • Myself I prefer a camera that looks like a camera. More for deterrent then review after the fact. YMMV.
    • The Best?

      The best system is hard-wired to a recording system air-gapped to the internet with a warrant examined by your attorney prior to the release of any information. High-rez cameras shielded from electronic emmissions, recording system in a TEMPEST certified room with double redundency power supplies with the main power supply on a surge protected SOLA transformer. Having the whole system enclosed in a biometrically monitored Faraday cage is a good start. Multiple, strategically placed cameras ( some obvious, s

    • by cusco ( 717999 )

      I've worked in physical security (key cards, cameras, alarms, etc.) 14 years, the best IP cameras come from Axis and Pelco, the best analog cameras from Pelco. Hands-down. Their hardware is top-notch, their support is outstanding, their return policies are great, their management tools are the best of their type, and their integration into other products such as access control systems, traffic monitoring systems, factory floor automation, and the like, is second to none.

      Yes, they're more expensive, but if

  • by 93 Escort Wagon ( 326346 ) on Sunday December 29, 2019 @03:46PM (#59568172)

    From TFBP:

    "We copied some data from our main production servers and put it into a more flexible database that is easier to query."

    and

    "We created this subset of user information in order to perform queries (e.g., number of connected devices, connectivity errors, etc.). Queries such as these are expensive in terms of computer resources and they would have impacted your product experience significantly. For that reason, we created a separate database specifically for processing those heavier requests."

    How much you wanna bet this was another MongoDB screw-up?

    • by cristiroma ( 606375 ) on Sunday December 29, 2019 @04:11PM (#59568238)
      Nope, it was Elasticsearch [wyzecam.com]
    • The root of the problem is that the company was too cheap to buy the servers and the bandwidth necessary to do things securely and fast.

      It's not a MongoDB screw-up, it's a classic "security is too expensive" issue.

    • by hey! ( 33014 )

      This is a strategy that goes back decades. I remember in the 70s and 80s there was a lot of hype about how relational databases would allow organizations to create unified databases they ran *everything* from. While they did enable developers to tackle more complex problems, nobody ever succeeded, and by the 90s people figured out that the reason was that the idea wasn't very good one to start with.

      So since the 90s it's been the norm to manage pots of data that support operations from pots of data that su

  • Why? (Score:4, Interesting)

    by RitchCraft ( 6454710 ) on Sunday December 29, 2019 @03:58PM (#59568206)
    "Among the data exposed in the Wyze leak was the height, weight, gender and other health information for about 140 beta users participating in testing of new hardware, Wyze said." Why was this information needed from beta testers? The only secure security camera system you can own is a CCTV system within a closed loop. Anything connected to the Internet, or that relies on a company's cloud infrastructure will eventually get hacked. Not if, but when.
    • It was part of the "human vs not-human" motion detection software built into the camera. It's supposed to cut down on false alerts by being able to differentiate a human from a dog or blowing leaves or whatever.

    • by _merlin ( 160982 )

      Yeah, my immediate question was why anyone would give health data to a security camera company. That's just extra exposure you don't need.

    • They're beta testing a "smart" scale.

  • by Rosco P. Coltrane ( 209368 ) on Sunday December 29, 2019 @04:17PM (#59568266)

    Manufacturers of shite products suffer nothing at all. Their customers do. The manufacturers ultimately don't give a shit as long as it doesn't become public and hurt their bottom line. Somehow that simple fact always gets glossed over.

    Then again, it's the onus of the customers to quit buying cloudy IoT devices and/or provide personal information if they want to avoid being victims. Who the hell with more than 2 working neurons provides their height, weight and health information to beta-test a fucking security camera? Seriously...

    • The businesses do suffer just not enough to change how they operate. Customers are weak and will continue to do business with companies that fuck them over... so why should the companies change what they are doing?

      If people will not boycott trash then the economy becomes filled up with trash.

  • Why the fuck do they need to store WiFi access point data at all, there is no legitimate reason for that to leave the device connecting to it.
    • Amazon does this as well. Makes the process of getting future models online a tick easier. With Amazon storing that data is optional. Not sure about Wyze.
  • a company employee failed to maintain previous security protocols during the process

    ... "which neither the employee, nor his immediate manager even knew existed", — is what he forgot to add...

    Processes are boring — and often suffocatingly restrictive. Because computer-security professionals are rarely programmers themselves (some are, actually, former policemen!)..

  • They're OK. The software has some (cloud-based?) person recognition in it, so it's supposed to know if it's a person or a cat. I just wish they had a few extra things in it -- like set off loud phone alarms if a person is detected, but NOT if a logged in phone is still at home.

    That being said, I don't see anything about SSIDs with passwords. S'ok though: if someone were to "break into" my cameras I'd blind their eyes with my shiny untanned naked skin, and then scar their minds with the rest of the image
  • "The data was accidentally left exposed when it was transferred to a new database to make the data easier to query, but a company employee failed to maintain previous security protocols during the process,"

    This was no accident. I have seen it too many fucking damn times to know better. There could be a number of reasons for why this was "intentionally" left insecure.

    Management is to blame... 100%. They just did not give a fuck because their jobs are never on the line for letting this bullshit happen. L

    • by cusco ( 717999 )

      Far too often this is the only config possible when management is too lazy or incompetent to jump through the hoops necessary to get to secure data. There are a lot of S3 buckets out there exposed to the whole world because some manager wanted to create a Power Point presentation using that data and were too stupid to be able to access it securely.

  • Year after year, breach after breach all I can do is shake my head in disbelief at people who refuse to learn. At this point, anyone stupid enough to buy into "online security" anything or be naive enough to trust any IoT deserves exactly what they get.
  • I'm beginning to think that a distinct password for each of these services is not enough anymore. Time for distinct/random email alias addresses too. Wasn't Apple supposed to start doing this in iOS?

  • This is why my Wyze cameras are on their own SSID, over a dedicated VLAN, running the RTSP-only firmware, and generally cut off from Wyze. And the Chinese P2P library that connects the cameras and the app.

    A bit more of a bother to set up, but reasonably secure. I can do the motion detection/feature recognition on my own systems, without dumping the streams all over the "cloud". But for $20, they're not bad for fill-in cameras, or experimenting.

  • So when are we all joining the class action lawsuit?

"...a most excellent barbarian ... Genghis Kahn!" -- _Bill And Ted's Excellent Adventure_

Working...