UPDATE YOUR FIRMWARE - Wyze Cam flaw lets hackers remotely access your saved videos ( * if they can gain access to your local network/WiFi )

This is the story I’m interested in most.

Out. Of. Proportion.

Bad. Press. Behavior.

Now let me watch the video… :slight_smile:

:ballot_box_with_check:

2 Likes

Yes, I thanked @Rareapple3 for it in another thread. Finally someone with a level of attention / reputation who gets it.

I’ve only watched a few minutes. Please let us know if he says anything novel (other than pointing out how irresponsible The Verge and Gizmodo and Bleeping Computer - and Wyze- have been about this).

2 Likes

Well said! As you say it could have, should have, been handled with their highly hyped customer focus as the priority. Apparently I was swayed by the hype and the risk is fairly limited. However, it should always be the customers decision on how to handle their risk.

2 Likes

Personally, I’d never port forward on a home network using cable/telco hardware. Those magic boxes may not have much security on a port forward. It leaves you open to a kiddie-hacker fest finding an open port. The cams aren’t “exploitable” in any true sense of the word. It’s a pretty useless target and I’m imagining that hackers are looking for a misconfigured router with 80 open on the WAN side or somebody running a web server on their home net. Lot more fun to be had there.
There are a lot more secure ways to connect to a cam or any iot interface if you really need to do that. Or just pass through your cable/telco box and put an endpoint in place that is designed to secure inbound traffic.

As @speadie said, it’s doable but you have way more things to think about than someone looking at more than likely boring cams. Most people probably have carrier, or carrier compatible hardware that has push updates and is not readily accessible from the wan side unless you are the carrier.

But…but. isn’t this just what the legitimate users have been asking for? A way to access the SD card without having to crawl out on the ledge to retrieve the SD card and manage the files.
I’d certainly like to know how this is done.

Those are my same thoughts as I mentioned above:

Nobody from outside the home WiFi could access anything anyway, so yes, as you stated, it is almost exactly what many of us have been asking for them to do on purpose years.

2 Likes

My impression:
This has the tone, hyperbole, and content of a “hit piece”. The kind of slanted report funded by a competitor (usually via a third-party business that specializes in muckraking).

1 Like

Yep, and people see what they want to see, hear what they want to hear. Anyone looking for a reason to be mad at wyze, or afraid of hax0rs will easily find or create it here.

True enough. Cognitive bias is a thing. It also could be the reason why there seems to be a tendency to intensely focus attention on the straw man of risk level instead of the actual unresolved matter of timely and effective disclosure.

The question remains whether adequate measures have been taken to notify all owners of cam v2 and v3 of the specific need to update their firmware due to security concerns in the context of a known vulnerability explained in enough detail to be instructive to those who might not be aware of best practices and to provide the specific reasons why the v1 will remain vulnerable. A vague statement of “use at your own risk” and EoL falls short when a fuller explanation would serve to help the cam owners understand why they are being given that advice and how it benefits them to follow it rather than assume it’s a crass move to churn inventory.

2 Likes

Hear hear. That is the only indisputably bad step the company took, among several questionable ones.

1 Like

You can read the Bitdefender research paper linked in the following reference. It goes into some detail on how it’s done. You will need a cam v1 as those have not and will not receive the firmware update that prevents exploitation of the vulnerability.

https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-wyze-cam-iot-device/

Aren’t you happy that you now have your wish to have a way to remotely access your cam’s sd card files (at least on v1s)? Since there are lots of people saying they will be getting rid of their v1s, seems like you could scoop up as many v1s as you can get your hands on at minimal expense as a win/win for everyone including keeping all that plastic out of landfills.

1 Like

Has anyone received a direct response from Wyze about whether they have been notified of a similar hack for the v2, v3, or any other camera? I have asked Wyze multiple times, and I have not received a reply. This thread is also lacking in participation from the usual Wyze crew.

F*#&K wyze! All the woeful products I own and bought from them are already in the trash!

2 Likes

Just to be thorough in case anyone reading is new to this conversation: According to its timeline concerning the vulnerability, Bitdefender’s white paper states that Wyze released the firmware update fix on January 29, 2022 for v2 & v3 cams, three years after being made aware of the vulnerability by Bitdefender.

Bitdefender’s White Paper and Timeline Concerning the Vulnerability Discovered in Regard to Wyze Cams

Wyze mentioned that they were unable to provide a firmware update for v1 due to its incapacity to store the needed update, Wyze, advised that v1 is no longer supported and has warned customers to continue to “use at your own risk” with no or at least woefully inadequate details provided regarding the specific reason allowing customers to dismiss those vague statements as a crass move designed to sell replacements rather that provide enough info to educate and protect their customers.

HOWEVER, outside of this forum, I’m not aware of any explicit notice sent to cam owners and would like to see that occur as an exercise of basic corporate responsibility. And even within this forum, Wyze’s statements have not been explicit enough IMO and has sought instead to focus on minimizing people’s concerns as exaggerated and excusing its lapse in a way that sounds a lot like, “if anyone got hacked, they were doing something to deserve it”, to paraphrase my perception of their statements.

Since the vulnerability has been published by Bitdefender recently, the blueprint for how to take advantage of the vulnerability is publicly available and it’s incumbent on Wyze to actively reach out to customers to explain why they should be cautious in continuing to use v1 especially considering many customers in this low end of the market may predictably have entry level technical skills and be unaware of how or why they may continue to be at risk.

1 Like

Just a bump for this response too, to round out the conversation a bit.

/me ducks

This whole issue is Wyze’s “Keep my wife’s name out of your ***** mouth” moment.

MOD NOTE: Post edited to conform to the Community Guidelines.

1 Like

:joy_cat:. Wait. Which side is Smith in this scenario?

2 Likes