UPDATE YOUR FIRMWARE - Wyze Cam flaw lets hackers remotely access your saved videos ( * if they can gain access to your local network/WiFi )

I tried to access one of my cameras running RTSP and couldn’t access anything. It is just pointing your web browser to the IP of the camera, right? No special port number, just 80?

This update unfortunately does not apply to earlier versions of the cameras which are no longer supported. Looks like I will be shopping elsewhere.

Now even The Verge is getting in on the scare mongering. Again no mention that it was barely a threat to anyone.

How do these “technology” web sites consistently fail to report on technology? It’s pathetic.

Was Wyze careless and improperly secretive about this? Yep. Is the reporting realistic? No way.

3 Likes

Wyze won’t survive.

The Verge: Wyze knew hackers could remotely access your camera for three years and said nothing.

[Mod Note]: Your post was was flagged as Off-Topic and merged to this topic for consistency in grouping similar posts. Please avoid diverting a topic by changing it midstream

1 Like

Here is another article about it:

Both of these fine companies are vendors of mine. So what do I do? Since I don’t have a V1 cam I don’t have to throw anything out. But “don’t have to” and “want to” are 2 different things. I want to kick them both to the curb. And I will as soon as I find a decent replacement for them both,
Dang it, why do companies do such bad things? Simply because they can? I think Wyze should look back to that bankruptcy that they narrowly avoided. But not until we can all replace our cams with better ones! But which companies aren’t EVIL any more? None that I can think of. So I’ll have to take the best of the worst I guess. I wish you all a spot of good luck and plz post to Twitter when you throw away/destroy/smash/burn your Wyze Cams. Maybe a hashtag of #F***Wyze without the asterisks. I think thats’ what I will use. Not soon enuf I’m afraid tho.

Rate the threat:

  • Nothing burger :sleeping:
  • Something burger :thinking:
  • Royale w/cheese :fearful:

0 voters

1 Like

** THEY DID NOT UPDATE OR PATCH v1 WYZECAMS SO THEY ARE ALL STILL VULNERABLE**

The least Wyze should do is:

Apologize.
Refund the purchase price or buy back all Wyzecam v1’s or send out a WyzeCam 2 to all WyzeCam 1 owners for every unit they own WITHOUT asking people that own such high risk cams to OPT IN. They knew about this vulnerability for 3 years?!
Apologize.

I find it totally reprehensible that a company selling a security product knew for over 3 years that the WyzeCams have a vulnerability in its home security that could have let hackers look into your home over the internet. That hackers can could access your camera’s SD card from over the internet, steal the encryption key, and start watching and downloading your video feeds?!

They knew about this for over 3 years?! And finally patched this inexcusable HUGE security flaw this January? And only for all WyzeCams but the WyzeCam v1 which are still vulnerable?

We can never trust Wyze again.

3 Likes

I reached out to them via email and this is their response which wasn’t a response at all.

Thank you for reaching out and for your questions.

At Wyze, we put immense value in our users’ trust in us, and take all security concerns seriously.
We are constantly evaluating the security of our systems and take appropriate measures to protect our customers’ privacy. We appreciated the responsible disclosure provided by Bitdefender on these vulnerabilities. We worked with Bitdefender and patched the security issues in our supported products. These updates are already deployed in our latest app and firmware updates.

If you have more questions or concerns about Wyze security topics, please reach out to security@wyze.com via email.

Regards,

Marjorie | Wyze Wizard

Trust and deceit. I just read an article about the security flaw of the V1 cameras by The Verge. Wyze knew of this flaw in March 2019. I’m done with Wyze - The Verge. Where do I send these worthless camera’s.

2 Likes

I don’t know. There’s a lot of parts and pieces to this, much of which is not really appropriate for a public user forum of this nature. Part of the problem is when general publication “news” entities convert CVEs to English, using words like “huge” vulnerability. If the average user saw what a daily security log looked like, they’d unplug everything in their house and wear a tinfoil hat. Our work net gets hit into the 10’s of thousands of times per day. Of those, the Fortinet might notify on 2 or 3, and since those were killed along with the rest, it is just for information’s sake.

The target appears to be a no-auth port 80 server lan-side. Yeah, that’s sloppy. But an “attacker” first needs to gain access to the lan. Yeppers, it’s doable on a Wlan and you may have the wacko neighbor who’s got nothing better to do; which basically is the limit of the threat. Unless I want to put on my tinfoil hat and think that a burglar is going to go through that effort when they can usually kill power by throwing a disconnect or turn off access by cutting your cable/fiber/dsl drop. And why go through the brain drain when you can grab a jammer for pretty cheap these days.
Granted, most home nets don’t have the doberman edge protection but it’s really a low value target.

Now, I’m confused some by bitdefenders mitigation; “Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network. This can be done by setting up a dedicated SSID exclusively for IoT devices, or by moving them to the guest network if the router does not support the creation of additional SSIDs.” Huh?, that solves the issue how?

That said, Wyze response to the problem is not good. They could have (weakly) contested the CVE. But more importantly, they could have fixed it right away. Much the same as our plugs :slight_smile:

The problem with these “huge” vulnerability CVEs is they cause panic; look at some of the responses to this. In reality, I could craft a wonderful email, phish it out to just 100 typical users and probably have access to a half dozen home networks in a matter of minutes, without leaving my chair. This camera attack assumes having the keys to the kingdom. The cams are the least of your problems…

7 Likes

Please explain why you are upset? I’m not defending Wyze by any means; I have my own battles with them, but I’m just curious how you’re judging the impact.

2 Likes

Check this article: says they were asked to fix a security hole and never did for 3 years. They are supposed to in 90 days. Can someone from wyze comment on this and what you are doing so this doesn’t happen again. I’m done with Wyze - The Verge

Well, it happens a lot more than you think and in some much more damaging circumstances. There’s no 90 day rule or anything.

But, you are 100% correct that they should address this, and more importantly address what they are doing to prevent it from happening again.

2 Likes

I woke up this morning to some really disconcerting news.
Wyze knew hackers could remotely access your camera for three years and said nothing - The Verge

I really don’t know whether I can trust Wyze products now. Has there been any similar issues with the v2 or v3 cameras where unauthorized attackers have been able to access live or stored video? Has Wyze every been informed of a breach to a v2 or a v3 camera? Your customers deserve to know!

There’s enough router exploits available to drive a truck into most folks home networks. From not re-setting the default password to firmware holes. This is NOT A NON ISSUE. Wyze did NOTHING and who knows what was compromised with us? I have done many things I wouldn’t want anyone else to see. Personal things that need to remain personal. It’s inconceivable that Wyze did NOTHING for months/years. They violated the basic trust we put into them. They don’t deserve any more of my money or any more of my support. My Cam Plus license is up shortly and that’s it. I’ve ordered Eufy’s (at considerable cost) and I will post the destruction of my Wyze cams on my Twitter when I get the new cams working. The hashtag will be #F***Wyze with the first word spelled out properly.
I hope to make a properly informative vid and an enjoyable one too. My phone does Slo-Mo so it could be a smashing success. Maybe I’ll even Live tweet it.
Sorry Wyze. You f-d up just one too many times.

2 Likes

How many people/devices were impacted by the v1 breach? How many people/devices are still vulnerable? Were those device owners explicitly notified of the breach?
Has Wyze ever been informed of a breach to a v2, v3, or other camera not mentioned in the BleepingComputer or Verge news stories?
Where is the link to Wyze’s responsible disclosure policy and breach notification policy?
Will Wyze explicitly notify us if there is another breach?

2 Likes

Agreed. I have 2 v1 cams (1 for special needs kid) and Wyze needs to patch these or dole out replacements.
There’s too much competition in this price point to be shedding customers.
3 years is inexcusable.
Their silence on this matter (at least in the forums) says a lot.

1 Like

I too am done with WYZE.
So many posts here regarding issues and Wyze says nothing 99% of the time but this one is a HUGE deal breaker.
They are complicit in their silence.
1st they start taking away original included selling points to their cameras & locking it behind a paywall and now this?
F em…

It’s nearly impossible for someone who’s not a competent pro to determine if the flaw presented here was/is significant enough to qualify as a THREAT.

It’s just multiple layers of partial comprehension. Nothing.

So you’re left hoping you know a pro you can trust.

They exist and are active on this forum.

So good. :+1:

2 Likes

So much “fear itself” going on in here. Remember that those “tech websites” are looking for your clicks. They’d lose money if they reported “Obscure Wyze vulnerability took a long time to fix, but affected pretty much no one, and we couldn’t reproduce the hack.” Instead they put a bunch of “should have” and “hackers may have been able to…” and “all your logs are belong to us” and “rEm0Te hACkeRs!!!” and “didn’t fix within 90 days” (as if that’s some law or something). I don’t think you’ll hurt any feelings if you need to change companies, but don’t think that every single tech company doesn’t look at their backlog of bugs, features, risks, etc, and set priorities based on their own business criteria. That’s azackly what is (and should be) going on at Wyze, at Ring, at Nest, at everywhere.

5 Likes