Response to the 3/29/22 Security Report

Thank you Wyze for the added public explanation.

I have read basically every article I could find on this issue since Bitdefender’s initial publishings, including the actual white-paper disclosure, and the official CVE filings and I have read countless publications’ interpretations of what was reported.

The short version and getting directly to the point is that I am VERY sad, disappointed and mildly devastated … that Wyze “FIXED” that “feature” to stop working. :sob: I know that sounds weird, but please hear me out for a minute. I personally wish it wasn’t “fixed;” I am not employed by, nor speak for nor represent Wyze in any way, I am speaking for myself personally as a Wyze user who has over 200+ Wyze devices (as well as a bunch of devices from Wyze’s competitors too).

Most of the publications are acting either ignorantly or being intentionally misleading or disingenuous on their reporting of this whole thing. Anyone saying things to scare people about “outside hackers” and “strangers” is basically lying and not a credible publication IMO because they’re basically just making clickbait and falsely fearmongering for ratings because that is not true.

Nobody could access our cameras unless we purposely gave them our WiFi password and let them onto our network (hopefully you don’t routinely do that to strangers or international criminals you don’t know). They’re either ignorantly or purposely leaving out those key details…and they are the most critical details. The fact is, if you don’t know what port forwarding is, and you don’t routinely give your WiFi password to strangers, then none of this even applies to you. You were never at any risk from anyone other than yourself (your household) accessing anything.

The only people this should realistically make sad are people like me who have been BEGGING for this (accessing our SD card files through the secure network) to be done INTENTIONALLY for as long as I’ve had Wyze cams…as have countless other people. In fact, it is one of the top 10 most requested features from Wyze EVER. It ranks as the 8th most voted on wishlist item in Wyze’s history out of THOUSANDS of approved Wishlist items, and Wyze just disabled this feature on all but the V1 cam.

I am sad about this. The only 7 things more highly requested than this feature (accessing the camera SD card through our network) in Wyze’s history are the following:

  1. View on PC/Browser (currently launched as a Beta test! YAY!)
  2. Public API (combining SmartThings & Home Assistant integration wishlists as “API” --this might be possible with the new Matter Initiative, You can also read Wyze’s latest statement about API’s in an AMA)
  3. Outdoor/Weatherproof Cam (Launched in multiple forms. YAY!)
  4. Fast Forward/Rewind capabilities (partially launched…available for cloud events and SD cards have 30 second skip options now)
  5. Video Doorbell (Launched in multiple forms)
  6. HomeKit Integration (Wyze said in an AMA they are hoping the Matter Initiative will make this integration happen)
  7. Dark Mode (Wyze’s latest statement on Dark Mode)

This feature request ranks in as the 8th most requested thing in Wyze’s history of THOUSANDS of request, and we’re just now learning that it was an active secure feature for the last few years, we just didn’t know about it. I am bawling right now, my friends. Let me repeat this clearly:

1) Our stuff was always secure…strangers could NOT access our cameras remotely. That is false clickbait. YOU could access your own videos on your own secure network because you had access to your own network.

2) We could have been accessing our SD card files through the secure network as we’ve been requesting and wanting…but now that’s been disabled. :sob:

I for one am tempted to go look on eBay and marketplace classifieds and collect a bunch of V1 Wyze cams from people who believe the clickbait or misunderstand and are throwing away or giving them away…because to me, this isn’t even an issue.

  1. I don’t give my WiFi credentials to strangers or people I don’t trust, so this whole thing is completely irrelevant to me or anyone I know.
  2. I don’t have cameras in bedrooms or bathrooms or anywhere that requires legal or extreme privacy anyway. I wouldn’t do that for any camera.

As one publication pointed out…if you have a bad actor on your network with the expertise to have figured this out or used it (when it wasn’t even public), then “you’re already knee-deep in a security nightmare. Camera recordings would be the least of your worries.

Basically, anyone with the crazy trifecta of 1) having the access (you gave them your password & allowed them on your WiFI) AND 2) the required expertise (which took a multimillion-dollar team of dedicated hacking experts to figure out) AND 3) WILLING to do anything like that, would totally ignore any cameras. They would go target you financially instead, stealing all your money, your identity, credit, destroying you financially. They would not care about your cameras at all. If you haven’t been completely destroyed financially from hackers, and blackmailed to pay them Bitcoin to unlock stuff, then you can pretty much bet you were never at risk from this either.

I personally wish this whole thing was instead made a sort of toggle feature where some people could toggle it to disable access to the SD card, and the rest of us who have been crying for this feature could toggle it on and just click a disclaimer that says “Yes, I acknowledge that this means anyone I give my WiFi password to could also potentially access my SD card on my secure network just like my other network drives that I intentionally share with anyone on my secure network.” Man, that would’ve been awesome. We were so close to having this #8 wishlist of all time updated to “Launched”…it honestly baffles me how many people are complaining that it existed when it’s exactly what I’ve (we’ve) been asking Wyze to intentionally allow for years now (ie: access only on my secure network = only by my household…and I have no concerns about my Wife, or kids viewing anything if they could even figure out how, which they can’t).

I will admit that Bitdefender’s published timeline from their perspective leaves some questions. I would love to read a detailed timeline from Wyze including the barriers they faced working on this. I suspect part of what took so long is they were trying to keep all the devices consistent, and finding a way to compress their same code to fit the fixes into the V1 but struggled to make it happen with all the limited resource capacity, etc. and finally just had to give up on it (similar to how they had to give up on Edge/Local Personal Detection because they couldn’t squeeze everything else they also needed on there) and finally just decided to do EOL so they could push the updates to rest of them (especially since these have actually basically been EOL for years anyway…Wyze hasn’t sold V1’s for years now). I doubt Wyze will ever release a detailed timeline. Most businesses wouldn’t. I don’t see this as a huge conspiracy or issue anyway since outsiders could not get any access anyway…and if they could, you have MUCH more serious problems to worry about.

Anyway, the above opinions are my own, but since your cams are as secure as your WiFi, to me it is a 100% non-issue…actually less than a non-issue…the fix is the issue to me…it makes me sad that it got “fixed” because I otherwise would’ve finally had access to the SD card through the secure network like we’ve all been begging them to do on purpose forever…

Funny how since a security company figures out how to do this thing (that everyone else has been dying to be able to do and been asking for), publications make fearmongering clickbait and then people start to panic, but for years thousands of us have been begging Wyze to do this on purpose…

For anyone who understands what it means, and that your cams have always been secure if you have private WiFi, there’s a big opportunity right now to get a bunch of great devices from any people who may be panicking and leaving. I for one will be scouting the marketplace classifieds to buy a bunch of great stuff, especially V1’s which are the only camera that now have this feature enabled (the way I see it)…but I suspect there may be some people just selling or giving away all their Wyze stuff like some of the publications tried to scare them to do (I hope I can get some nearly free sensors and other cool stuff too). I don’t have any V1 cams at the moment, but I’m sure going to get some now that I’m hearing I may be able to use them and copy the SD card file contents through my network instead of removing the card. Who knew the V1’s would be the only device to get this cool feature we’ve all been requesting for years, and as long as they’re on a private network, I have no concerns otherwise.

(Again, the above are my personal opinions…Wyze has publicly recommended people upgrade to newer devices that can continue to have the latest updates. I totally respect people being upset about what they’ve read and not knowing what to think. I am simply expressing my point of view that I personally am not upset or worried after reading the actual details and limitations).

14 Likes

No panic on this side of the tracks. I’ll continue to be a Wyze customer.

1 Like

I am not quite sure why everyone is thanking Wyze for this update. This admission is coming 3 years after they knew about this flaw and only after being disclosed publicly by Bitdefender.

16 Likes

Thank You @WyzeGwendolyn for the detailed explanation. It pretty much covered exactly what most rational users would have already discovered by a little research and critical thought. Keep up the progress!

1 Like

Well… that was wholly unsatisfactory.

This, and the previous database breach, are sufficient to get rid of all my Wyze kit. All statements to the contrary, Wyze clearly has no regard for its user’s security.

I work in IT, major security events happen — though one hopes not as frequently or easily as they seem to happen at Wyze — and response time is critical. I’ve seen entire infrastructures go down and be rebuilt while auditing in weeks. And I dare say the Wyze systems aren’t anywhere near as complex.

This is just a bunch of lazy execs laughing all the way to the bank. There’s no accountability at Wyze, and worse still, they somehow managed to get BitDefender on board with this plan of silence. I’m not suggesting they bribed them or something, but it would explain a lot.

Like Sean at the Verge, I’m done. And this excuse that hackers needed local LAN access is hilariously tone deaf and misses the point so completely it makes me wonder if we’re talking about the same issue. For me, my network is locked down hard, but not everyone has the time, money, and know-how to secure themselves and so they were endangered by Wyze’s lack of care for literally years. It’s inexcusable.

All of this from a “security” company who wants to protect your kids while they sleep…

Also, given the pride Wyze takes in its cams’ night mode… why the actual hell is there STILL mo dark mode for iOS? It’s basically just retina searing salt in a wound at this point.

Now the real test, how quickly will they delete this and other critical responses…

Edit: typos, sry, on mobile.

13 Likes

Second post on your thread on January 6, 2022.

We never received a response, despite reposting the question several times.

Chickens, rooosting, no one else to blame, etc., etc.

Opacity is never the right choice.

9 Likes

I guess we will find out in 3 years.

9 Likes

The Wyze response fails to address:

Response time:

  • Mar 06, 2019: Bitdefender contacted Wyze.
  • Nov 10, 2020: Wyze responds to the security report
  • That’s a long time to ignore security researchers with critical issues.

Transparency:

  • Wyze should have stated when v1 was discontinued that a security issue allowing unrestricted SD card access via LAN.
  • Most people have a “if it ain’t broke, don’t trash it” attitude that means they need enough information to make their own risk assessment. You can’t make any meaningful risk assessment on “critical security issue”
  • There is a big difference between knowing about an active security issue and implying there may be a security issue in the future that Wyze doesn’t know about and cannot address.
  • Having a characterization of the issue would allow savvy users to better secure themselves.

Being responsive and honest is important and Wyze’s v1 EOL announcement and disclosure here are disappointing, falling far short of what a responsible company should do with the potentially highly personal data being collected.

I hope Wyze does better in the future and understands the disappointment some of us (who have highly recommended Wyze and look forward to continuing to use its products) have experienced.

14 Likes

Dead on.

7 Likes

THREE YEARS and now you expect people to trust you will keep our information and us safe. Time to search for other cameras

6 Likes

No transparency. From a security company.

6 Likes

I. AM. DONE. WITH. WYZE.

3 years? from a company hocking security or products access via internet? The same day the article comes out I get an email from you… I thought it would be an explanation and apology…nope… hocking more stuff. I had to come here, to read your response. Are there only amateurs working there? Nothing to your loyal supporters? Not even an email? Seriously? Not even an email… To answer the next question; I will gladly sign on with a class action lawsuit. Wyze had potential, I saw it, I bought products…I am done… I won’t even sell them as used…

8 Likes

That is the issue! You should understand not everyone is as tech savvy as you. Not everyone knows how to properly set up their routers, firewalls and were just looking for an inexpensive baby monitor. There was no notice the cams were vulnerable in certain conditions after Wyze was alerted. I am sure that people with indoor cams are having a shiver run up their spine right now.

4 Likes

Your apologetics are unhelpful, unless you have a vested interest in dismissing Wyze’s negligence. It’s no one’s business who someone gives their Wi-Fi passwords to or for what reasons. It’s irrelevant. There are very valid reasons to do so and without being informed of the hacking vulnerability in their Wyze cams, all such customers were very much at risk.

It was encumbant on Wyze to disclose the vulnerability to its customers in a timely manner. Period.

7 Likes

I don’t work for Wyze but for the record it wasn’t 3 years to fix everything and the SD readable on LAN isn’t a huge issue (relatively speaking). If a hacker has gained access to your internal network you are already in big trouble. Wyze has made mistakes here but just want to give you some context. I don’t think a lawsuit has much potential.
Best of luck though, mate!

5 Likes

My default is to assume that anything on my network is vulnerable if It is hacked or I {shudder} were to give someone my password. I am surprised that it takes hacking to reach the cameras once someone has access to my network. If someone gets access to my network I have a lot more serious things to worry about than who is dying of boredom watching my cams.

9 Likes

Why it took so long to fix the vulnerabilities? Is it because the incompetent engineers? Or, because these vulnerabilities have low priority. Or, because you can not put the v1 into EOL in 2019 or 2020 since it was sold until March, 2018. Actually, some of the v1 sold in March 2018 probably still under warranty when Bitdefender brought the issues to Wyze’s attention in March 2019.

Even I can ignore what happened in the past, what is your response time to fix the next vulnerability? Another three years, or put more devices into EOL.

4 Likes

Well written and excellent points!

6 Likes

As noted above, I agree with the timeliness issue.

But you should know that giving out your wi-fi password willy-nilly is far more risky than security issue here. Routers/Modems have many security features that protect people’s home networks and those are useless against someone who has local access.

The issue, as described by BitDefender, wouldn’t even be hacking if you have LAN access. It would have been trivial for you or any individual to access your Wyze camera (IF AND ONLY IF you put a MicroSD card into it, according to BitDefender). No specialized skills necessary, no hacking required. (The hacking part would only be required to gain access to your home network).

Far greater danger comes from someone who has persistent access to your LAN (e.g. someone with your wifi password).

Just want to give some context here.

6 Likes

If it were the “first straw” I might be able to let go. But it isn’t. For my it’s the “last straw” of way too many irritating and obnoxious ones before.
So my new cams are arriving tomorrow. I’ll have them running this weekend hopefully. And Wyze can go and be whatever they want to be, but it will be without me.
You took no responsibility at all in your statement. None. Zero. Zilch.
You have plenty here to explain. And you didn’t. So best of luck to you. You’ve had all the money from be that you ever will.
Goodbye.

5 Likes