Response to the 3/29/22 Security Report

No panic on this side of the tracks. I’ll continue to be a Wyze customer.

1 Like

I am not quite sure why everyone is thanking Wyze for this update. This admission is coming 3 years after they knew about this flaw and only after being disclosed publicly by Bitdefender.

16 Likes

Thank You @WyzeGwendolyn for the detailed explanation. It pretty much covered exactly what most rational users would have already discovered by a little research and critical thought. Keep up the progress!

1 Like

Well… that was wholly unsatisfactory.

This, and the previous database breach, are sufficient to get rid of all my Wyze kit. All statements to the contrary, Wyze clearly has no regard for its user’s security.

I work in IT, major security events happen — though one hopes not as frequently or easily as they seem to happen at Wyze — and response time is critical. I’ve seen entire infrastructures go down and be rebuilt while auditing in weeks. And I dare say the Wyze systems aren’t anywhere near as complex.

This is just a bunch of lazy execs laughing all the way to the bank. There’s no accountability at Wyze, and worse still, they somehow managed to get BitDefender on board with this plan of silence. I’m not suggesting they bribed them or something, but it would explain a lot.

Like Sean at the Verge, I’m done. And this excuse that hackers needed local LAN access is hilariously tone deaf and misses the point so completely it makes me wonder if we’re talking about the same issue. For me, my network is locked down hard, but not everyone has the time, money, and know-how to secure themselves and so they were endangered by Wyze’s lack of care for literally years. It’s inexcusable.

All of this from a “security” company who wants to protect your kids while they sleep…

Also, given the pride Wyze takes in its cams’ night mode… why the actual hell is there STILL mo dark mode for iOS? It’s basically just retina searing salt in a wound at this point.

Now the real test, how quickly will they delete this and other critical responses…

Edit: typos, sry, on mobile.

13 Likes

Second post on your thread on January 6, 2022.

We never received a response, despite reposting the question several times.

Chickens, rooosting, no one else to blame, etc., etc.

Opacity is never the right choice.

9 Likes

I guess we will find out in 3 years.

9 Likes

The Wyze response fails to address:

Response time:

  • Mar 06, 2019: Bitdefender contacted Wyze.
  • Nov 10, 2020: Wyze responds to the security report
  • That’s a long time to ignore security researchers with critical issues.

Transparency:

  • Wyze should have stated when v1 was discontinued that a security issue allowing unrestricted SD card access via LAN.
  • Most people have a “if it ain’t broke, don’t trash it” attitude that means they need enough information to make their own risk assessment. You can’t make any meaningful risk assessment on “critical security issue”
  • There is a big difference between knowing about an active security issue and implying there may be a security issue in the future that Wyze doesn’t know about and cannot address.
  • Having a characterization of the issue would allow savvy users to better secure themselves.

Being responsive and honest is important and Wyze’s v1 EOL announcement and disclosure here are disappointing, falling far short of what a responsible company should do with the potentially highly personal data being collected.

I hope Wyze does better in the future and understands the disappointment some of us (who have highly recommended Wyze and look forward to continuing to use its products) have experienced.

14 Likes

Dead on.

7 Likes

THREE YEARS and now you expect people to trust you will keep our information and us safe. Time to search for other cameras

6 Likes

No transparency. From a security company.

6 Likes

I. AM. DONE. WITH. WYZE.

3 years? from a company hocking security or products access via internet? The same day the article comes out I get an email from you… I thought it would be an explanation and apology…nope… hocking more stuff. I had to come here, to read your response. Are there only amateurs working there? Nothing to your loyal supporters? Not even an email? Seriously? Not even an email… To answer the next question; I will gladly sign on with a class action lawsuit. Wyze had potential, I saw it, I bought products…I am done… I won’t even sell them as used…

8 Likes

That is the issue! You should understand not everyone is as tech savvy as you. Not everyone knows how to properly set up their routers, firewalls and were just looking for an inexpensive baby monitor. There was no notice the cams were vulnerable in certain conditions after Wyze was alerted. I am sure that people with indoor cams are having a shiver run up their spine right now.

4 Likes

Your apologetics are unhelpful, unless you have a vested interest in dismissing Wyze’s negligence. It’s no one’s business who someone gives their Wi-Fi passwords to or for what reasons. It’s irrelevant. There are very valid reasons to do so and without being informed of the hacking vulnerability in their Wyze cams, all such customers were very much at risk.

It was encumbant on Wyze to disclose the vulnerability to its customers in a timely manner. Period.

7 Likes

I don’t work for Wyze but for the record it wasn’t 3 years to fix everything and the SD readable on LAN isn’t a huge issue (relatively speaking). If a hacker has gained access to your internal network you are already in big trouble. Wyze has made mistakes here but just want to give you some context. I don’t think a lawsuit has much potential.
Best of luck though, mate!

5 Likes

My default is to assume that anything on my network is vulnerable if It is hacked or I {shudder} were to give someone my password. I am surprised that it takes hacking to reach the cameras once someone has access to my network. If someone gets access to my network I have a lot more serious things to worry about than who is dying of boredom watching my cams.

9 Likes

Why it took so long to fix the vulnerabilities? Is it because the incompetent engineers? Or, because these vulnerabilities have low priority. Or, because you can not put the v1 into EOL in 2019 or 2020 since it was sold until March, 2018. Actually, some of the v1 sold in March 2018 probably still under warranty when Bitdefender brought the issues to Wyze’s attention in March 2019.

Even I can ignore what happened in the past, what is your response time to fix the next vulnerability? Another three years, or put more devices into EOL.

4 Likes

Well written and excellent points!

6 Likes

As noted above, I agree with the timeliness issue.

But you should know that giving out your wi-fi password willy-nilly is far more risky than security issue here. Routers/Modems have many security features that protect people’s home networks and those are useless against someone who has local access.

The issue, as described by BitDefender, wouldn’t even be hacking if you have LAN access. It would have been trivial for you or any individual to access your Wyze camera (IF AND ONLY IF you put a MicroSD card into it, according to BitDefender). No specialized skills necessary, no hacking required. (The hacking part would only be required to gain access to your home network).

Far greater danger comes from someone who has persistent access to your LAN (e.g. someone with your wifi password).

Just want to give some context here.

6 Likes

If it were the “first straw” I might be able to let go. But it isn’t. For my it’s the “last straw” of way too many irritating and obnoxious ones before.
So my new cams are arriving tomorrow. I’ll have them running this weekend hopefully. And Wyze can go and be whatever they want to be, but it will be without me.
You took no responsibility at all in your statement. None. Zero. Zilch.
You have plenty here to explain. And you didn’t. So best of luck to you. You’ve had all the money from be that you ever will.
Goodbye.

5 Likes

This is the only part that surprises me a little. As @carverofchoice said to much comedic effect, web access is something users have been requesting for a long time and it’s surprising that no one stumbled across that before. I wonder how the necessary URL needed to be crafted…

2 Likes