Wondering if there’s an official response coming from Wyze on this, or if this topic will be swiftly deleted.
The least Wyze should do is:
Refund the purchase price or buy back all Wyzecam v1’s or send out a WyzeCam 2 to all WyzeCam 1 owners for every unit they own WITHOUT asking people that own such high risk cams to OPT IN. They knew about this vulnerability for 3 years?!
I find it totally reprehensible that a company selling a security product knew for over 3 years that the WyzeCams have a vulnerability in its home security that could have let hackers look into your home over the internet. That hackers can could access your camera’s SD card from over the internet, steal the encryption key, and start watching and downloading your video feeds?!
They knew about this for over 3 years?! And finally patched this inexcusable HUGE security flaw this January? And only for all WyzeCams but the WyzeCam v1 which are still vulnerable?
We can never trust Wyze again.
Personally, I need to see a fairly impressive response to this news. I have been a vocal advocate for Wyze and I trusted their research enough to use a v2 as a baby cam. To learn that if I had used an SD card in that cam it could have been compromised all the way up until 1/29/22 was pretty devastating.
This seems so underhanded. It would take a LOT for me to not completely replace all of my Wyze devices. I’ve bought these cameras for people. It’s embarrassing, but I can only really blame myself. I’m just disappointed and concerned about the data. Mainly posting here in the hopes someone from Wyze sees, and understands this has real impact on people.
EDIT: I work for software security companies, and have for years. This is the number one way they tell you to evaluate a company’s security - how they disclose and protect their users of breaches, regardless of how it makes them look in the moment. It’s clear that Wyze has failed this, almost worse than any breach I can think of in recent memory. There were so many other solutions. I’m actually just done.
This is incredible. I have several wyze cams in my home, all with sd cards. To not acknowledge this and let customers know this entire time is inexcusable. I would be surprised if this didn’t result in a class action lawsuit.
I work for software security companies, and have for years. This is the number one way they tell you to evaluate a company’s security - how they disclose and protect their users of breaches, regardless of how it makes them look in the moment.
That’s a really good point. When I did my initial investigation into Wyze, I was actually impressed with the work they were doing – especially in comparison to other companies that I had looked into. Discreet security certs on each device was light years ahead of the failures I ahd seen from supposedly trusted brands. But, when a mistake does happen, we need to know immediately so we can take protective actions.
Before anyone gets too excited about this, this is a TOTAL NON ISSUE for almost everyone. Unless your camera is directly connected to the internet, this is a non issue. If your camera is behind a NAT router (your typical home router for example), unless you specifically set up port forwarding to it (why would you do that?) the camera is not accessible from the internet via this hack.
Click the to reveal the poll and vote.
Vote immediately. Or read the thread first and then vote.
Vote can be changed if your mind has.
It’s an issue because the way Wyze decided to handle it is an indicator of corporate culture and the consumer relationship behind the curtain. While this issue may not directly affect us all, in a way it does directly affect us all, you know what I mean?
Only sort of. As an analogy, if General Motors found that if you drive a Chevy Silverado at 150 mph, it is unsable - then GM did not reveal and immediately fix that problem, they are being wrong. No, since you can’t get a Silverado to 150 mph, so it’s a non-issue. Just as this hack is a non-issue.
Wyze has promptly fixed a couple real security issues in the past, so for real problems, they have taken it seriously. This is a non-issue so it went onto the “we’ll get around to it list” - which they did months ago.
And I agree with that sentiment about the corporate culture. I considered this. I told my fiance that it shouldn’t affect us because of that specific reason but I was still going to be replacing my cameras anyway. It’s great that this didn’t affect me personally. Could it have? Maybe. Maybe I own a coffee shop. Maybe I just don’t know anything about networking and I do something stupid (and I’m definitely not an expert). Would I ever have known about it if this was a vulnerability that affected me? And that’s the problem.
Can you expand a little on this? Because I still have a V1 inside my house. I use a typical AT&T provided WIFI router. With no settings changed. Am I still good?
If that were the case, Wyze could have just come out and said so three years ago. The lack of disclosure is the issue, not that a technical flaw exists in the first place.
You can never be TOO transparent or overcommunicate with your consumer base. But if you under communicate, we all have ask… why?
I’m not buying the whole “it’s low priority, we’ll get around to it later” argument. Evidently this was a big enough problem for Wyze that they developed a new generation of the camera, at least in part to get around the vulnerability. The whole thing seems unnecessarily sneaky.
Saw the news and headed here to what the thoughts are on the issue. For me, from the start, I just assumed if it’s connected to the net in some way, it’s hackable in some way - should someone with the skills and know-how find an interest to do so, they can gain access. I would never feel comfortable having any cam from any company looking at anything other than what it can see out the window.
In the case you describe, there couldn’t be a report that it would be unstable. So, work on the analogy. Perhaps if the vehicle is unstable at 100mph they could decide it is not an issue since no one is supposed to be going that fast? The bug that affected Wyze cams up until 1/29 did not require anyone to do something that is impossible.
Might have to do with funding at the time. I recall the dumb video wyze posted about securing additional cash that would save the company. I believe prior to that they didn’t have the cash to exchange, recall or even patch their devices.
So many “smart” devices they’ve put out without any recent software updates.
But the gun safe will turn things around……
Why would the logs, UID and ENR be stored on SD card?
I can only offer conjecture. You would have to ask Wyze why they decided to do it for a specific answer.
Unfortunately not all of us have the same luxury.
In 2015, our family adopted 3 kids. Due to reasons I don’t want to get into, we were advised by social workers to set cameras up in their bedrooms until some milestones were crossed in therapy.
They’re all much older now and the cameras have long been removed, but it really sickens me to think that this vulnerability existed without my knowledge for a number of years while I was using a v1 camera in a child’s bedroom.