Endpoint Security , Internet of Things Security
Wyze Security Incident Exposes Private Cameras
13,000 Users Received Incorrect Thumbnails; 1,504 Tapped on Them, Risking PrivacyA glitch in Wyze home security cameras permitted thousands of users to catch glimpses inside strangers' homes as its cloud system came back online after an outage of several hours.
See Also: Endpoint Security Essentials for C-Suites
Smart home device maker Wyze said the incident had unfolded during a service outage on Friday morning that stemmed from a disruption in Wyze cloud provider Amazon Web Services.
The flaw came to light after users started reporting inaccurate thumbnails and event videos in their Events tab. Wyze responded by revoking access to the Events tab and launching an immediate investigation.
The investigation revealed around 13,000 Wyze users had received thumbnails from cameras that were not their own, and around 1,504 users had tapped on the thumbnails. The event thumbnails of those affected were visible in other Wyze users' accounts and in some instances, unauthorized access to event videos was allowed.
The company said the incident stems from a recently integrated third-party caching client library within Wyze's system. The library, which was under unprecedented load conditions due to a surge in devices reconnecting simultaneously, experienced a mix-up of device ID and user ID mapping. This misconfiguration resulted in some data being linked to incorrect user accounts.
Wyze said it has introduced additional verification layers before users can access event videos. It also said it has adjusted the system to bypass caching for checks on user-device relationships until it has identified thoroughly tested client libraries.