This is not secure

I read the below review and have some serious concerns about this camera. Is the below true?

"Not sure about how secure it is. They say they utilize a 3rd party called ThroughTek (offices in china and japan - none in US) to handle the transfer of videos. Wyze Cam claims the content is sent securely to aws. Examining the network traffic from camera shows that content is routed thru many providers including AWS, Linode (US) Vultr/Choopa (europe) and Aliyum/Alibaba (china). They seem to also utilize NTP server in Russia. To get more details… search on web for “WyzeCam sending data to servers other than AWS” and you will find a Reddit article. How does Wyze ensure that ThroughTek is not eavesdropping?

For me to trust Wyze Cam, I need to have clear control over end to end encryption of my data to ensure no 3rd party has any way of accessing my videos. Why can’t the data be sent directly from my cam to AWS (s3 bucket)? Why can I not have access to AWS logs (s3 logs) to review which other IP address has accessed (or attempted to access) my content? Just claiming that this is a secure solution, doesn’t work for me."

It’s a valid point to be concerned. However, if you have a camera, always assume someone is watching. Whether that be your family or else. Cameras often provide a false sense of security. If your concerned then you might want to think about physically connected cameras to a box. Those devices cost around $500.

While all those points are valid, it is introducing a lot of complexities to introduce those features. Those features would be understood only by a fraction of the customers and could be implemented properly by even less.

But let me try to address the different points mentioned.

First: the Reddit article is from November 2017. We have already addressed most of those points.

Are we using 3rd party called ThroughTek: Yes we are.
to transfer video: False. Used to do live streaming only, I’m pretty sure, Live streaming is initiated only by our cloud and ThoughTek cannot start a live streaming session by themselves but I need to verify that particular point.
video transferred securely: We are encrypting the channels for the communication between the camera and the AWS server. I did not verified the implementation but I’m pretty sure that the actual transfer of the content goes straight from the camera to AWS.
Using NTP servers in Russia: does it really matter which server is used to get the time?

Why are we not using an S3 bucket that you are providing? Several reasons.

• very few people would really take advantage of this feature and would not want to pay the cost of the S3 storage.
• the setup of such a features would be everything but trivial.
• you would gain an understanding of how the storage of the videos are taking place, which for the moment is not documented anywhere and provide therefore some level of obfuscation. One thing is that we are not storing the videos by users so we would have to create also alternate ways
• If we decide to change the storage implementation or decide to move from AWS (out of S3) to Azure, then we are stuck. And we are looking at some drastic changes in the back end in the near future.
• We have no way to assure the integrity of the videos because now, someone else than us has access to the files and directories.

Providing your own encryption:
Extremely complicated and beyond what most people are comfortable setting up. More over, if we are using a 128 bits key and you are using a 128 bits key. What would it make your key more secure than ours?
It would reduce the impact in case of an attack but would not make it more secure if you are targeted.

Access to AWS logs: for the moment, all the cameras are processed together. Giving you access to those logs would defeat any privacy attempt. We would have to use a separate account for each user to be able to do so. This is not scalable.

There are ways to provide transparency without having to open up the system the way you are requesting. For example, we could have a log that would allow to see every connection attempt. We can flag new IP and MAC addresses that would try to operate on a given account. We could even imagine features like blacklisting of IPs based on geo location or other criteria. This would be more constructive approach more the overall customer base.

The thing is, we are being asked to open the system up and down, left and right but I have not seen a single product on the market that offers that level of flexibility or that went to the level of effort to provide information and made changes to reassure users that we are taking privacy extremely seriously. We even bet the company by not accepting a round of investment that would have not favorably served our customers.

If beyond that you still feel that Wyze is too “unsecure” for you, then this your own decision and there is not much we can do or say that would change your mind and Wyze might not be the camera for you.
In this case, I wish you good luck in finding a commercial residential product that would offer you that level of security related feature. If you know one, please let me know as I would be very interested to learn about it.

Love this direct response. Bravo.

well worded, great information…and very professional…what more could you ask for in a response?

Thanks for the direct response. I really appreciate it.

This thread on reddit is so very interesting. And so very over my head.

Still, I struggle to understand because I Sense there are core issues being discussed here. And I like. Core. Issues.

TinyCam Pro developer @alexey.vasilyev seems to me a skilled and insightful player in the smart cam space. As does Wyze’s own Senior Director of Technology & Services, @Frederik.

I wonder if these two would be interested in batting around the subject opened here (as their valuable time allows.)

Fortune favors the bold, they say. So I’m asking.

Like this comment (or “hear hear” below) if it interests you as well.

I found this topic and sent the OP to get discussion going. I also asked two computer dork friends of mine that speak this very involved language to get better understanding myself. So from what I’m gathering, there are moments when the integrity of our data is not in our hands. While this disturbs me a bit, I think its important to keep it in context. You and I are paying for a bad ass $22 camera that makes things super convenient. I doubt seriously that a $22 can camera provide NASA-worthy security protocols. That said, I also don’t want to put it in my kid’s bedroom for Grandma and Grandpa to be able to tell them goodnight like we used to.
I am however going to buy 7-8 more of these cool little cameras and put them around the outside of my house/garage and in indoor places where naked people will not be exposed.

If you want top level encrypted data, don’t expect it from a $22 camera. Get ready for cameras in the 3-4 figure range. If you want a kick butt camera for fun things, this appears to be the best thing on the market IMO.

Just my 2 cents!

chris

In Russia, NTP servers do not accept requests for time. Russian NTP servers tell YOU what time it is!

For me this boils down to trust. Is any one or any thing trust worthy? Is trust a quaint concept like privacy? “Don’t debilitate yourself with unrealistic requirements - embrace… it.” Whatever “it” might be today, and transform into tomorrow.

The TinyCam Pro program launched about eight years ago according to its page on Google Play. It has a rating of around 4.6. @alexey.vasilyev speaks forthrightly and persuasively in the forums. I see no substantial indictments against him on the boards. I am persuaded to trust him with my Wyze credentials because I WANT to use his excellent app.

At the same time I am advised by Wyze (in one instance on reddit by @Frederik) that “providing [Alexey] your user name and password is at your own risk and is not recommended…”

It’s an interesting dilemma.

Frederik says above, “We even bet the company by not accepting a round of investment that would have not favorably served our customers.”

Having spent three skeptical months on these boards I have come to believe I can trust Wyze and Frederik in that claim. It’s a claim I can enthusiastically endorse. I WANT to. And now I believe it is well-founded to do so.

So, roughly, Alexey says Wyze’s P2P protocol is untrustworthy. Frederik says giving Alexey your Wyze credentials is a questionable action that Wyze can’t endorse - but will not prevent.

What’s a dimwit to do?

One follow up to my response. Only wyze can initiate step 2 and 3 when connecting to the livestream. So Throughtek cannot eavedrop on the camera.
That’s the response I got from engineering.

tinyCam dev here.

Do not trust any cloud cameras, e.g. Wyze, Nest, Arlo, etc. Period. All credentials are stored on server and service admins have access to them. So they can view video from your camera and watch recorded video stored on AWS if they want to. And you will not be able to notice that.

Wyze uses P2P developed by TUTK for live view and HTTPS for getting credentials and uploading video to AWS.

TUTK P2P protocol is quite strange. I do not see valid description of P2P protocol and open source implementation. TUTK provides precompiled binaries for every P2P camera manufacturer, e.g. Wyze. I highly doubt that it is secured. AES 128 does not mean anything IMHO. There can be still backdoor. HTTPS protocol is secured.

Wyze made some improvements over TUTK P2P for encrypting credentials. At least TUTK admins will not have access to your live stream (if there is no backdoor of cause).

P.S. You should not trust apps as well. However it is always possible to decompile Android apps and check what the app is doing.

I don’t know how the rest of you feel, but when I’m not home, I don’t frankly care if some guy in china is looking at my feed. Enjoy it.

However, when I’m home I don’t want anyone to be able to see my feed, including Wyze or Amazon. So the interior cameras will be physically turned off with smart plugs.

At my cabin in NH, they are all always on, and then I unplug them when I arrive.

Hi Don, I get what you’re saying. I run a lot like you.

My problem with this is that if you don’t stand on principle because, it’s not culturally valued, is a futile endeavor, I-can-take-informed-measures-to-protect-myself-and-will, etc, then the hoi polloi, who would be about as likely to change a setting or take prudent measures as a squirrel would be to stare at a smart phone all day, gets a long deep continuous drubbing and those protecting themselves by being informed and taking prudent measures (us) are forced to take ever greater measures because the trend away from principle is strong and getting stronger every day until, one day, there’s no more principle to stand on. Oops?

Based on the info in the thread above, would you use tinyCam software with your Wyzecam products?

If you weren’t Alexey but Joe Blow user, how would you vote?

If there would be another choice, I would vote for not using cloud cameras inside your home. Use it outdoors

As long as they are transparent, then i’m fine with it.

If I was motivated enough, I’d have local IP cams streaming to a NAS. More secure and private. But this is a trade off for having the luxury of easy setup and 5 cams installed for less than $150.

The people really getting screwed are the people paying $150 for a single Nest Cam who still have these same privacy issues.

Would you be willing to pay more for a Wyze v2 cam with ALL privacy and security issues resolved?

Let’s say double the current price ($50) would be the minimum required to support release of this Unicorn Cam. Are you on board with that?

How about tripling, or quadrupling? At what price point would you balk?

I would pay at most:

As long as they are recording outside your own network there will always be a possible security breach. This makes the poll impossible for me to answer.