Real Time Streaming Protocol (RTSP)

While I can’t speak for Wyze or tinyCam, I don’t believe it is a significant security risk unless:

  • A. tinyCam harvests your login ID and password (which is not necessary to perform the function it is performing),

  • B. or if it reads or writes changes to the settings on your Account without permission (e.g., such as turning your cameras on or off, or changing motion detection / alert settings).


Very roughly:

  1. When the Wyze Cam App uses your credentials to login to the Wyze Cloud, it has probably has access to request and change your configuration. All we know for certain it can discover your (and only your) cameras and feed pointers.

  2. tinyCam takes the address of the feed and parses it based on their knowledge of the standard (but unusual) streaming protocol being used: P2P TUTK SDK (https://github.com/cnping/TUTK)


My personal Conclusions:

  1. The method that tinyCam uses is unnecessary, since obviously Wyze Cam has an official stream access API that they have shared with partner vendor Amazon for use in the Echo Show.

  2. The method that tinyCam uses is not risk-free. As mentioned above, since it uses your userID / email and password, it likely has both read and write access to your configuration settings, not just your streams. It is possible that these settings are protected by some sort of secondary authentication or encryption, but I don’t know enough about the concept nor this specific situation to believe this is the case. My personal assumption is that these settings do not have an extra layer of protections.

  3. While we can probably trust tinyCam, and I also presume that your Wyze login credentials that you use in the tinyCam App are stored only on your phone and not sent to tinyCam’s cloud or through any other possibly vulnerable path, the method that tinyCam uses is certainly replicable by other vendors and, unfortunately, malicious actors.

My personal Recommendation:

Let’s not throw baby out with bathwater here, since tinyCam is a very useful tool for many people. Given tinyCam’s stature and the fact that they provide this type of viewing and transcoding feature for many, many camera brands (including Nest Cam, etc.), I think they are very likely trustworthy.

But this is an excellent case study that Wyze Cam customers should understand (so they can self-assess the risks), and for Wyze Labs engineers / product managers should understand (so they can determine the exact level of risk, the value of published paths for 3rd party streaming, and therefore the value of an officially sanctioned API and certified vendor program, and enforcement of the program …)

Does my gist make sense @WyzeGwendolyn?

6 Likes

Exactly!

Beggars can’t be choosers.

tinyCam took initiative and significant effort to provide something that no other vendor has done: i.e., integrate with Wyze Cam.

That deserves praise, not insults.

  • If you have other favorite NVR / matrix / transcoding software (e.g., Blue Iris), then let’s see if you can convince them to integrate with Wyze, either officially or unofficially. They could even buy or license the techniques discovered by tinyCam and everyone wins.

  • If you think Wyze should offer RTSP (or other standard streaming APIs / protocols) so that you don’t have to rely on the hacks of a single unsatisfactory App, then, obviously, you have to continue to pressure Wyze for this.

2 Likes

Thanks, @tgauch! This was clearly written and definitely makes sense. I can’t say one way or another on whether those risks are present or what their methods are but this about covers it. :slight_smile:

2 Likes

well, tinycam also has access to wyze feeds and they are not partenered with wyze in any way.

How do you know they’re not partnered in any way? :slight_smile:

I do agree that they’re probably not partnered though. From other messages that the tinycam author posted on reddit, it sounds like he reverse-engineered what goes on in the app.

On the home assistant thread, Wyze confirmed that the camera doesn’t actually serve RTSP for the Alexa integration. The camera ships the video to the cloud using RTMP, and they serve it as an RTSP stream from the cloud.

I asked if it would be acceptably cheap for them to have the camera serve video via RTMP instead of RTSP (as I believe that Blue Iris, Vlc, Kodi, and anything based on ffmpeg should be able to fetch an RTMP stream) but it sounds like that’s not going to be easy for them either.

1 Like

Wyze does not have an official stream access API. They implemented Amazon’s API that allows a camera to integrate with Alexa, and Amazon has set that up to ensure that no one else can use it. Roughly speaking, Wyze calls in to a specific server at Amazon, and that connection allows Amazon to ask for a pointer to the video stream when Alexa needs it. That stream is generated by sending video to the Wyze cloud, which puts the stream into the format that Amazon wants.

Doing it this way (as opposed to what tinycam is doing) costs Wyze money because it involves processing the video in the cloud. They probably aren’t going to want anyone else using it. I believe this is also why they limit the time for which you can view on Alexa. (I don’t have a device to test, but Wyze docs say it’s limited to 10 minutes of viewing time.

1 Like

They know that we’re not partnered because I confirmed that not long ago. Appreciate the skepticism, though! :slight_smile:

3 Likes

Sorry Gwendolyn … no skepticism intended, actually.

I was responding to andrewasciutto, who had responded to an earlier message of mine. I got the email notification from his response, but didn’t see your message, which was posted between my original message and the time that Andrew responded.

Is there a way to ask the forum to send me email notifications for ALL messages that appear on this thread, rather than just the ones that are replies to something I said?

1 Like

Look for the button that says “Normal” at the bottom of the topic. Change it to Watching:

2 Likes

Awesome … Thanks. I actually had it set to “tracking” previously.

1 Like

You can set the default in your preferences
image

5 Likes

Thanks. I didn’t know about that either :slight_smile: and I’ve set it now.

1 Like

tinyCam dev here, There is no any agreement with Wyze. All is done be reverse engineering Wyze protocol. Moreover we shared sources on github and it is possible for everyone (e.g. Blue Iris) to implement native Wyze Cams support in their NVR.

7 Likes

Hi Alexey … I actually looked at that github release when it was first announced quite some time back. Thanks for your generosity in sharing info. If I remember correctly, the github release included some binaries (without source) for Throughtek libraries that are presumably needed to duplicate what you did.

Do you know if it’s actually okay for Blue Iris to use those libraries to implement support the way you did?

Sources are here

Binaries are here

This is enough for implementing Wyze Cam support.

4 Likes

TinyCam mystery solved! Thanks @alexey.vasilyev , even tho we may have bashed your app a bit earlier in this thread. Sometimes it takes a bit of force to squeeze things out. Thanks for having thick skin.

Now we can all go on our merry way and support what we like, what works and encourage improvements.

3 Likes

tiny cam pro user here… please please please make you app available on windows. I would love a more powerful alternative to android.

1 Like

I really am struggling to understand why this will only support LAN streaming.

I need to be able to send this to a WAN. Whether that’s a cloud-hosted NVR (on AWS, etc.) or as a camera on a different LAN than my WyzeCam.

I think that they mean that you’ll have to be able to connect to the IP address of the camera in order to open the RTSP stream, just like you need to be able to do with any other IP camera. If you are making your other IP cameras accessible by port forwarding (hopefully not!) or by using a vpn, that’s highly likely to still work.

No Windows version planned. There are quite powerful Android devices, like NVIDIA Shield TV which can handle a lot of cameras. Check this live demo running tinyCam PRO on NVIDIA Shield TV (you need to accept self-signed SSL certificate).

https://demo.tinycammonitor.com:8083/
Username: demo
Password: demo

3 Likes