If you have a Wyze security camera, my suggestion would be to rip it out of the wall and throw it in the nearest trash can. Over the past three years, a glaring security flaw has taken root in the company’s V1, V2, and V3 Internet-connected cameras that allegedly allowed hackers to access video stored on the devices and watch what was going on. The company apparently knew about this all along and was very slow to take action to correct it. They also neglected to tell anyone.
News of the whole disaster broke on Tuesday, when cybersecurity firm Bitdefender released a Blog and one white paper revealing the security issue. The flaw, which currently has no official designation, would have allowed a hacker to gain unauthenticated remote access to the contents of a Wyze camera’s SD card. This means that an intruder could very easily view the video stored inside and even potentially download it. Since many people use these cameras inside their homes as well as outside, the privacy risks inherent in the products are quite worrying.
Worse still, the Bitdefender article reveals that the vulnerability was initially discovered and reported to Wyze in March 2019. Bitdefender also revealed two other previously undisclosed vulnerabilities that troubled the camera lineup, an authentication bypass flaw tracked officially as CVE-2019-9564and a remote code execution vulnerability, CVE-2019-12266. The bugs were fixed in previous firmware updates on September 24, 2019 and November 9, 2020, respectively.
Wyze finally released fixes for the SD card vulnerability in an update on January 29, which fixed the issue for its V2 and V3 cameras. However, Wyze stopped supporting its V1 camera in February, which means that no more security updates are possible for these cameras and that they will always be vulnerable to this unique intrusive security risk. Indeed, it looks like the company actually pulled the V1 because “hardware limitations” prevented it from effectively releasing a security update to fix these vulnerabilities.
At the time of V1’s withdrawal, the company issued a vague warning about how using the outdated product could lead to “increased risk”, but didn’t mention anything specifically about a known security issue. which could allow pirates to hijack the video stream of the product. Maybe it was good to know.
The edge asked Bitdefender’s decision not to disclose security issues earlier. The company’s disclosure timeline provided in its whitepaper makes it clear that it has been fairly consistent in trying to get Wyze to consider this.s warnings about the security breach. But if Bitdefender has understood these serious consumer risks for three years, why wait for Wyze to be on the same page if the company seemed unresponsive? We’ve reached out to the security company for a better understanding of this and will update our story if they respond.
When reached for comment, a representative for Wyze reiterated to Gizmodo that problem areas had been patched. The representative also provided us with a statement. It reads, in part:
At Wyze, we value the trust of our users immensely and take all security issues seriously. We constantly assess the security of our systems and take appropriate measures to protect the privacy of our customers. We appreciated the responsible disclosure provided by Bitdefender on these vulnerabilities. We have worked with Bitdefender and fixed security issues in our supported products. These updates are already rolling out in our latest app and firmware updates.
At Gizmodo, we actually have writing on the Wyze cameras a bit. The cameras had a reputation as a cheaper but effective alternative to better-known home security brands like Nest. But those selling points probably have little appeal now. In short: it’s hard to imagine how customers are supposed to trust Wyze now and, for a security company, trust is pretty much everything.