Thank you Wyze for the added public explanation.
I have read basically every article I could find on this issue since Bitdefender’s initial publishings, including the actual white-paper disclosure, and the official CVE filings and I have read countless publications’ interpretations of what was reported.
The short version and getting directly to the point is that I am VERY sad, disappointed and mildly devastated … that Wyze “FIXED” that “feature” to stop working. I know that sounds weird, but please hear me out for a minute. I personally wish it wasn’t “fixed;” I am not employed by, nor speak for nor represent Wyze in any way, I am speaking for myself personally as a Wyze user who has over 200+ Wyze devices (as well as a bunch of devices from Wyze’s competitors too).
Most of the publications are acting either ignorantly or being intentionally misleading or disingenuous on their reporting of this whole thing. Anyone saying things to scare people about “outside hackers” and “strangers” is basically lying and not a credible publication IMO because they’re basically just making clickbait and falsely fearmongering for ratings because that is not true.
Nobody could access our cameras unless we purposely gave them our WiFi password and let them onto our network (hopefully you don’t routinely do that to strangers or international criminals you don’t know). They’re either ignorantly or purposely leaving out those key details…and they are the most critical details. The fact is, if you don’t know what port forwarding is, and you don’t routinely give your WiFi password to strangers, then none of this even applies to you. You were never at any risk from anyone other than yourself (your household) accessing anything.
The only people this should realistically make sad are people like me who have been BEGGING for this (accessing our SD card files through the secure network) to be done INTENTIONALLY for as long as I’ve had Wyze cams…as have countless other people. In fact, it is one of the top 10 most requested features from Wyze EVER. It ranks as the 8th most voted on wishlist item in Wyze’s history out of THOUSANDS of approved Wishlist items, and Wyze just disabled this feature on all but the V1 cam.
I am sad about this. The only 7 things more highly requested than this feature (accessing the camera SD card through our network) in Wyze’s history are the following:
- View on PC/Browser (currently launched as a Beta test! YAY!)
- Public API (combining SmartThings & Home Assistant integration wishlists as “API” --this might be possible with the new Matter Initiative, You can also read Wyze’s latest statement about API’s in an AMA)
- Outdoor/Weatherproof Cam (Launched in multiple forms. YAY!)
- Fast Forward/Rewind capabilities (partially launched…available for cloud events and SD cards have 30 second skip options now)
- Video Doorbell (Launched in multiple forms)
- HomeKit Integration (Wyze said in an AMA they are hoping the Matter Initiative will make this integration happen)
- Dark Mode (Wyze’s latest statement on Dark Mode)
This feature request ranks in as the 8th most requested thing in Wyze’s history of THOUSANDS of request, and we’re just now learning that it was an active secure feature for the last few years, we just didn’t know about it. I am bawling right now, my friends. Let me repeat this clearly:
1) Our stuff was always secure…strangers could NOT access our cameras remotely. That is false clickbait. YOU could access your own videos on your own secure network because you had access to your own network.
2) We could have been accessing our SD card files through the secure network as we’ve been requesting and wanting…but now that’s been disabled.
I for one am tempted to go look on eBay and marketplace classifieds and collect a bunch of V1 Wyze cams from people who believe the clickbait or misunderstand and are throwing away or giving them away…because to me, this isn’t even an issue.
- I don’t give my WiFi credentials to strangers or people I don’t trust, so this whole thing is completely irrelevant to me or anyone I know.
- I don’t have cameras in bedrooms or bathrooms or anywhere that requires legal or extreme privacy anyway. I wouldn’t do that for any camera.
As one publication pointed out…if you have a bad actor on your network with the expertise to have figured this out or used it (when it wasn’t even public), then “you’re already knee-deep in a security nightmare. Camera recordings would be the least of your worries.”
Basically, anyone with the crazy trifecta of 1) having the access (you gave them your password & allowed them on your WiFI) AND 2) the required expertise (which took a multimillion-dollar team of dedicated hacking experts to figure out) AND 3) WILLING to do anything like that, would totally ignore any cameras. They would go target you financially instead, stealing all your money, your identity, credit, destroying you financially. They would not care about your cameras at all. If you haven’t been completely destroyed financially from hackers, and blackmailed to pay them Bitcoin to unlock stuff, then you can pretty much bet you were never at risk from this either.
I personally wish this whole thing was instead made a sort of toggle feature where some people could toggle it to disable access to the SD card, and the rest of us who have been crying for this feature could toggle it on and just click a disclaimer that says “Yes, I acknowledge that this means anyone I give my WiFi password to could also potentially access my SD card on my secure network just like my other network drives that I intentionally share with anyone on my secure network.” Man, that would’ve been awesome. We were so close to having this #8 wishlist of all time updated to “Launched”…it honestly baffles me how many people are complaining that it existed when it’s exactly what I’ve (we’ve) been asking Wyze to intentionally allow for years now (ie: access only on my secure network = only by my household…and I have no concerns about my Wife, or kids viewing anything if they could even figure out how, which they can’t).
I will admit that Bitdefender’s published timeline from their perspective leaves some questions. I would love to read a detailed timeline from Wyze including the barriers they faced working on this. I suspect part of what took so long is they were trying to keep all the devices consistent, and finding a way to compress their same code to fit the fixes into the V1 but struggled to make it happen with all the limited resource capacity, etc. and finally just had to give up on it (similar to how they had to give up on Edge/Local Personal Detection because they couldn’t squeeze everything else they also needed on there) and finally just decided to do EOL so they could push the updates to rest of them (especially since these have actually basically been EOL for years anyway…Wyze hasn’t sold V1’s for years now). I doubt Wyze will ever release a detailed timeline. Most businesses wouldn’t. I don’t see this as a huge conspiracy or issue anyway since outsiders could not get any access anyway…and if they could, you have MUCH more serious problems to worry about.
Anyway, the above opinions are my own, but since your cams are as secure as your WiFi, to me it is a 100% non-issue…actually less than a non-issue…the fix is the issue to me…it makes me sad that it got “fixed” because I otherwise would’ve finally had access to the SD card through the secure network like we’ve all been begging them to do on purpose forever…
Funny how since a security company figures out how to do this thing (that everyone else has been dying to be able to do and been asking for), publications make fearmongering clickbait and then people start to panic, but for years thousands of us have been begging Wyze to do this on purpose…
For anyone who understands what it means, and that your cams have always been secure if you have private WiFi, there’s a big opportunity right now to get a bunch of great devices from any people who may be panicking and leaving. I for one will be scouting the marketplace classifieds to buy a bunch of great stuff, especially V1’s which are the only camera that now have this feature enabled (the way I see it)…but I suspect there may be some people just selling or giving away all their Wyze stuff like some of the publications tried to scare them to do (I hope I can get some nearly free sensors and other cool stuff too). I don’t have any V1 cams at the moment, but I’m sure going to get some now that I’m hearing I may be able to use them and copy the SD card file contents through my network instead of removing the card. Who knew the V1’s would be the only device to get this cool feature we’ve all been requesting for years, and as long as they’re on a private network, I have no concerns otherwise.
(Again, the above are my personal opinions…Wyze has publicly recommended people upgrade to newer devices that can continue to have the latest updates. I totally respect people being upset about what they’ve read and not knowing what to think. I am simply expressing my point of view that I personally am not upset or worried after reading the actual details and limitations).