These guys are not fans


#1

General article on camera safety that specifically mentions the WyzeCam.

I had read in the past the WyzeCam was secure and US based but they seem to disagree.


#2

Wow thanks for sharing. It’s very biased and to be frank, a bit poorly written. The author REALLY likes 2fa and Google.

Dude likes Netgear despite a facepalm vulnerability https://kb.netgear.com/30731/Arlo-WiFi-Default-Password-Security-Vulnerability

Wyze’s QR code method is quite clever, the cameras can’t be put into a reset state and accessed over bt or WiFi to hijack, you need very close proximity of physical access.


#3

I kind of agree. I think (optional) 2FA would be a worthwhile security upgrade for Wyze to implement to prevent access to cameras using credentials obtained due to a breech somewhere.


#4

I’d prefer Wyze use something like PasswordPing rather than having to 2fa each time I load the app. It’d be going to the same mobile device as this app anyways lol.


#5

WIth 2FA, you are generally only asked to verify with the 2nd factor only when signing on from a new device. I assume that’s how Wyze would implement it.


#6

My services tend to expire after the session, 24hrs or a week. I appreciate you idea though! It’d be nice if it was only new device/new app install for this use case.


#7

I’m a bit confused, is it possible that someone is watching my family on my Wyze cam? How can I make it more secure? Thank you


#8

The most important thing you can do is have a strong password that you do not re-use with other sites and services.


#9

It’s only possible if you have a weak password that someone else has guessed and are now using your account. Overall the path of cameras to your phone are very secure.

Here’s a useful (albeit technical) comment made by the Chief Engineer: https://www.reddit.com/r/wyzecam/comments/7deomj/hes_tao_an_engineer_who_spent_over_1000_hours_to/dpxpqoz/

 

 


#10

Our information on security: We take our customers’ data safety very seriously. The communication between your mobile device, the Wyze Cam, and the AWS Cloud Server is made via https (Transport Layer Security (TLS)). We used symmetric and asymmetric encryption, hashing and other ways to make sure users’ information cannot be stolen. Each camera has its own secret key and certificate so that we can validate its identity during handshake. The contents are encrypted via AES 128-bit encryption to protect the data. Even if a hacker intercepts the data package, the data cannot be decrypted.

As RickO mentioned that means the most important part of your security is the password you use for the account. If you ever feel that your account may have been compromised the best thing to do will be to change your password for both your Wyze account, and the email used for log in (incase it was the compromised party). Client privacy is our number 1 priority and we do keep looking for ways to improve.

As of writing this I am unsure if we are planning to use 2FA, but I will be sure to bring it to the attention of our Devs! Please let me know if you have additional questions about this, I will be happy to help.


#11

Thanks Max!


#12

The article is BS and should just be ignored. However I do have a complaint about Wyze’s enforcement of silly password rules. The length requirement is too much, while precluding the use of more-secure special characters. So now my Wyze password is memorable and probably the least secure of all of my passwords, but hey, it’s long enough to meet the rules.

 


#13

Aren’t all password rules silly?

Coding Horror Blog Post about Passwords

 


#14

@Carlos, could you please tell me a special character or two you were not allowed to use? To my knowledge we should not restrict any special characters so I would like to investigate for you. Thanks!


#15

No, not at all.


#16

I may be wrong, since I can’t cause a problem now while trying to duplicate it. I tried my normal algorithms for creating site-specific passwords and your site rejected them all. Possibly because of the length (your length requirement is ludicrous IMO), but I thought I had seen a character type warning also. Now the ones I’ve tried work, other than length. So basically I just duplicated the logical password in series, and removed one letter to bypass what seems like duplicate detection.


#17

It’s been a couple months, but I think that either hyphen or underscore were not allowed. I also had to do different PW format than I would have normally used.

 


#18

Thanks for the info! How does Tinycam negotiate the handshake? Are they a partner?


#19

Interesting… seems they recently raised the minimum length by one character. When I signed up a month ago, the minimum was 8, now it seems to be 9.

While it suggests 12 characters mixed case, etc, it seems only requires 9, at which point it calls your password “medium”. It seems to call anything 9-10 “medium” and 11 or more “strong”, even if its all lower-case, or even all numbers. However, it will reject some very obvious passwords like “987654321”, and those with a lot of repetition “191919191919”

Seem strange that considers “81753560838” “strong” (11 random digits generated by random.org), despite just being digits. “36323933987” is considered medium, and is also 11 digits generated by random.org, but presumably it is ignoring one of the repeated 3’s. Obviously both of these passwords are of the same quality, having exactly the same entropy, and both are actually pretty poor passwords.

The strange 9/11 character boundaries makes me wonder if someones got some off-by-one bugs, and they were aiming for 8 and 12.


#20

Thanks for the information both of you! I will forward this up to our Web team and see what we can do.