It has come to my attention that some really insufficient security meansures are presently being employed by Wyze and their devices, specifgically in regards to the cameras and any and all associated accounts.
Any sufficiently ‘smart’ device should employ ‘smart’ forward-thinking tactics, such as: requiring cams to be ‘released’ from an account once initially set up, but prior to being automatically being transferred automatically (to anyone with physical access tot he device), and then automatically removing all access from the previous (thieved) cam owner?
Mac addressed should be recorded and associated with accounts initially, but after that, requiring the device to first be designated as released, sold, retired, or no longer possessed.
Previous account access to a cam should NOT be revoked and removed simply due to the device being registered to a new account without first being designated as released, indicating a stolen device, or physical access to a particular device with nefarious intent. Presently I could walk up to any Wyze camera installed outdoors, reset, have access to and cause access to be revoked immediately from the legitimate, rightful device owners by using my phone’s hotspot as the local network to setup the new device on, and right there on the spot be complete with my ‘attack’. Huge security flaw imo, which should be addressed immediately for all devices, not just cameras (though they present some obvious security threats which may warrant prioritization on the Wyze fix-list).
Seems like the mac addresses should be saved to the cloud and not editable by account owners (though it wouldn’t hurt to display them for the account owner) and associated with a specific account until otherwise ‘released’ to the new owner, OR disabled in the device itself (possibly requiring Wyze intervention to release and correct the issue). I would immediately flag an account and temporarily disable the camera for having been set up on an initial account and then again on a new account without, first, having been released by the previous owner. There are some really basic and fundamental steps which could and probably SHOULD be employed already on, both, the devices, locally, and at Wyze, remotely, to protect consumers and increase device security. Anything less than the aforementioned is just negligence on Wyze’s part imo.
I would also suggest that a device be allowed to be designated as stolen and (possibly even) disabled locally on the stolen device semi-permanently and irreversibly, requiring Wyze intervention and assistance in resolving. Should be easy enough to prove device ownership via receipts/initial device setup. Heaven forbid someone sells a camera and forgets to designate it as released or sold first and the new owner has to get on the phone with Wyze to enable camera operation and association with
an account. Maybe send a notification to the previous owner alerting them and prompting them to either confirm or deny the legitimacy of the new device possession by others, this could fast-track the process getting the device back operational for the new device owners, get them new account association ability. or fast-track the disabling of a device designated as stolen in response to the attempted new account association.
Just require thing to be registered, explicitly associated, and require intervention by Wyze and/or confirmation in each step of the device transfer and setup process after the initial setup has been done and the device has been previously associated with an account. Send notifications to current account owners and encourage them to dictate device access or account access changes first before actually allowing device registration/account access/ownership/possession transfer/compromised physical access with nefarious intent.