I just threw my Wyze home security cameras in the trash. I’m done with this company.
I just learned that the last three years, Wyze was fully aware of a vulnerability in its home security cameras that could have allowed hackers to peer into your home on the internet – but chose to sweep it under the rug. And the security company that found the vulnerability largely let them.
Instead of fixing it, instead of calling it back, instead of just, you know, to say something so that I could stop pointing these cameras at my children, Wyze simply decided to discontinue the WyzeCam v1 in January without a full explanation. But on Tuesday, security research firm Bitdefender finally explained why Wyze stopped selling it: because someone could access your camera’s SD card from the internet, steal the encryption key, and start watching and downloading their video stream.
Nowhere does Wyze say something like that to customers like me. Not when it shut down the camera, not in the three years since Bitdefender brought it to Wyze’s attention in March 2019, and maybe not ever: Wyze spokesperson Kyle Christensen, told me that when it comes to the company, she has been transparent with her customers before. and has “completely fixed the problem”. But Wyze only patched it for newer versions of the WyzeCam, and even then it didn’t finish patching v2 and v3 until January 29, 2022, according to BeepComputer.
As for transparency, the most I saw Wyze tell customers was that “your continued use of the WyzeCam after February 1, 2022 carries increased risk, is discouraged by Wyze, and is entirely at your own risk.” He also sometimes sends vague emails like this to his clients, which I used to appreciate but now retroactively question:
When I read those words about “increased risk” in our Edge message regarding WyzeCam v1 shutdown, I remember thinking it was just referring to to come up security updates – not a major vulnerability that already exists.
Here’s another question, though: why the hell wouldn’t Bitdefender disclose this for three whole years, when it could have forced Wyze’s hand?
According to the security research firm’s own disclosure timeline (PDF), it contacted Wyze in March 2019 and didn’t even get a response until November 2020, a year and eight months later. Yet Bitdefender chose to keep quiet until yesterday.
In case you’re wondering, no, that’s not normal in the security community. Although experts tell me that the concept of a “responsible disclosure schedule” is a bit outdated and highly situational, we generally measure in days, not years. “The majority of researchers have policies that if they make a good faith effort to contact a vendor and don’t get a response, they publicly disclose it within 30 days,” said Alex Stamos, director of the Stanford Internet Observatory and former Chief Security Officer. on Facebook, tells me.
“Even the US government has a default 45-day disclosure deadline to prevent vendors from burying bug reports and never fixing them,” writes Katie Moussouris, founder and CEO of Luta Security and co-author of the standards. international ISO standards for vulnerability and vulnerability disclosure. handling process.
I asked Bitdefender about it, and PR manager Steve Fiore had an explanation, but it doesn’t sit well with me. Here it is in full:
Our findings were so serious that our decision, regardless of our usual policy of extending the 90-day grace period, was that releasing this report without Wyze’s acknowledgment and mitigation was going to potentially expose millions of customers with unknown implications. Especially since the vendor had not known (from us) of a security process/framework in place. Wyze actually implemented one last year as a result of our findings (https://www.wyze.com/pages/security-report).
We have delayed the release of reports (iBaby Monitor M6S cameras) for longer periods for the same reason previously. The impact of the earnings release, coupled with our lack of information on the vendor’s ability to deal with the fallout, dictated our expectation.
We understand that this is not necessarily common practice among other researchers, but releasing the results before the vendor provides fixes would have put a lot of people at risk. So when Wyze finally reached out to us and provided us with credible information about their ability to fix the reported issues, we decided to give them some time and give them extensions.
Waiting sometimes makes sense. The two experts I spoke to, Moussouris and Stamos, independently cited the infamous Meltdown computer processor vulnerabilities as an example of how difficult it is to balance security and disclosure – due to the number of people affected, the depth of computer integration and how difficult they are to repair.
But a $20 mainstream smart home camera right on my shelf? If Bitdefender issued a press release two years ago stating that Wyze had a flaw that it does not fix, it is very easy to stop using this camera, stop buying it and choose one another instead. “There is an easy mitigation strategy for affected customers,” Stamos says.
The example of iBaby Monitor that Bitdefender brings up is also a bit ironic – because here Bitdefender actually did force a company to act. When Bitdefender and PCMag revealed that the baby monitor company had failed to fix its security flaw, the resulting bad publicity prompted them to fix it three days later.
Days, not years.
Now, if you’ll excuse me, I have to say goodbye to those Wyze headphones that I used to love, because I really want to be done with Wyze. I was prepared to dismiss the company’s disastrous leak of 2.4 million customer data as a mistake, but it doesn’t look like the company made one here. If these flaws were serious enough to break the camera in 2022, customers deserved to know in 2019.