2FA=NFW Really?

If the app is replaced on my phone, then the attacker has access to everything on my phone including the ability to receive and complete 2FA handshakes. So 2FA is zero help. And “using my credentials to access the Wyze cloud” doesn’t “impact other customers” one bit. So none of that makes sense to me.

Some of us, particularly those monitoring public spaces outside our homes, don’t care and prefer simplicity and convenience. We don’t need to be saved from ourselves.

I should add, that’s for worst case scenarios - I still use and trust userid + password as a weak lock on the door.

1 Like

I have TCP running on the same Android 11 Moto G as my Wyze App using 2FA Authenticator.

So long as I am logged into my app, even if it is closed, TCP never asks me to authenticate to view my cams. I am TCP streaming 12 cams on four 3-cam cards and regularly scroll thru and live view individual cams.

Wondering if it is working that way for me, not asking for authentication every time I stream a cam, because it is on the same device that has already successfully logged in with a persistant 2FA certificate from the app? Just curious if the issue is only presented in TCP devices that don’t have the Wyze App to do the 2FA login leg work. :thinking:

TL;DR: People get mad when a company upgrades their security to protect them. Yet when they don’t, Questions why there were hacked.

As someone studying network administration and taking a cyber security class, it is worth noting that the industry is constantly changing. Things that were known as secure 10-15 years ago are now outdated and the general public is not always happy with having to change their habits. Whether it is changing an old password or turning on 2FA. A company/individual needs to determine if they want to be more secure at the cost of being less convenient or have a greater chance of being a target.

Does anyone remember that big iCloud “hack”, where the victims were people who had an old/reused password that was not updated with the new standards? What about the Ring issues, which were because of old passwords? Ring now also requires 2FA.

A big portion of people claiming to be hacked are not really hacked. it is simply a person using an old/reused password that was linked with the account owner’s email that was exposed from an actual database breach. If they used that same password and did not have 2FA the “hacker” now has access. The owner of that account would likely assume that the company had a beach and will blame them for the “hack” even though that company was not responsible. If the account owner had 2FA on, assuming 2FA was configured correctly, that person might get a text message with a link or code. If that person is smart they would then change their password.

Now I would be a hypocrite saying that 2FA is perfect because it’s not, There is no such thing as an unhackable system. We can only learn about new exploits and learn how to respond to them. Back in the day, SMS 2FA was assumed as the best. But now as real hackers find new ways such as “sim swapping” or malicious code to bypass a code from a person’s phone physically on them. The better 2FA now is to use a trusted 2FA authenticator app that has rolling codes for now until something changes. And it is already changing with the FIDO2 standard that uses a physical USB stick such as a yubikey. Now we just need more companies to support FIDO.

The magnetic strip on the back of a credit card is highly vulnerable, and the industry responded to the issue and now has “EMV” chips on cards now. However, the strip will still be on the card in the US for a few more years making it somewhat pointless for now. I’m sure in the future we might hear about an exploit with the chips.

Some of the data breaches you hear about are caused by companies not maintaining/upgrading their systems. I remember hearing about a doctor’s office that was hacked and it turned out they were still using XP computers and were too stubborn to update them at the cost of their patients’ data.

How much do you value your security in an online world?

3 Likes

Going to use this as part of an assignment for my class.

1 Like

Since all of my accounts have unique passwords and my wyze account doesn’t have a credit card associated with it, where did the hack come from? somewhere on a wyze server?

The only thing they could do with my V3’s is turn the siren on. And wyze should have always had a control button on the actual camera to turn the siren off.

I’m not sure why you are studying network administration and taking a cyber security class – but I can tell that all your training has been from professional network administration teachers and cyber security teachers.

The way I can tell this is because you missed the major point of the firestorm.

There are several worthwhile takeaways from this firestorm, and you got one of them: “the general public is not always happy with having to change their habits” and you danced around one of the underlying issues: “A company/individual needs to determine if they want to be more secure at the cost of being less convenient or have a greater chance of being a target.”

The point where “cyber security experts” diverge from “physical security experts” is that cyber security experts rarely (if ever) consider any sort of cost/benefit analysis.

No physical security expert (outside the US federal government) would ever advise spending $1000 for a vault to secure property worth $100, but cyber security experts frequently do the equivalent by proposing to establish a high level of security on a system with little or no value.

You are in the process of being taught all about the “best practices” for cyber security, but implementing those “best practices” frequently comes with costs far exceeding their value - those costs are not just the direct financial cost, but the human costs and the unintended consequences, as well.

For many of us there is no real reason to worry about the security of our individual accounts. How much effort should a Wyze customer put into ‘securing’ the video feed of his cat litter box or his bird feeder, or even his front porch? How much security do I need for my Wyze scale? Yes, there are some Wyze customers who are [mis]using Wyse products in ways that deserve better security than will ever be accomplished with those products. I recently saw one such customer whining in the Wyze group on Facebook and a friend of mine got in trouble for calling her a Karen.

But to get back to the missed takeaway from this firestorm: people don’t like being told they are going to be forced to do something that is at least inconvenient (and in some cases impossible) for no good reason and they especially don’t like it when the change is announced as if all decisions have been made in a vacuum when it is obvious that many factors had not been considered.

2 Likes

[quote=“peterhting, post:60, topic:240514, full:true”]
Think of 2FA as locking your car door in a bad neighborhood, as the internet is now a bad neighborhood. Once bad actors are in your car, they can drive to your home and open the garage door. [/quote]

Completely invalid comparison.

NONSENSE! Unless you have some special knowledge that the developers behind Wyze are incompetent clowns, there is nothing that one ordinary customer can do that impacts other customers.

Yawn - Who cares?!? If someone wants to watch the view from my front porch to see when UPS drops off a package or when the mailman drops off my mail, they are welcome to watch.

3 Likes

I have only been in this class for about a week and a half but have done a bunch of computer mentorships with the poorly public school system here. Most of my tech skills were self-taught. I plan on going into a career that involves maintaining a network in a place of business and what I would recommend to them depends on the size of the business. If their file server gets breached, Who do you think they will blame and risk getting fired and losing their trust?

I do agree with you regarding the value of data over the cost to secure it. I would also like to add If that data were to be exposed and a lawsuit were to be filed. How much cost/time would it take to settle the lawsuit vs spending an adequate amount of protecting the customers’ data? It could make the business shut down, which has happened many times.

I agree that the best practices are almost never realistic practices. The I.T class that I am required to take is very annoying with that. They say that when you take apart a PC you have to wear an anti-static strap which is ridiculous.

I tend to disagree with this statement in certain situations.
For Wyze (I’m assuming in this instance), it depends on where you have your cameras facing. I would likely never put cloud-based cameras inside as that is a highly valued bit of information for me in my opinion. but others might not care and will expect a higher level of security over those that point outside.

In a broader sense, I think someone should care about the security of a bank account or social media for example. As that could cause real harm. and if a company does not invest resources for data security. I would question if I would still want to use them depending on how much that data is worth to me.

Perhaps I expect too much from corporations as my experiences have come from government-funded avenues and depending on where I might end up that perception may change.

As noted in the example in my post above, most hackers don’t need to resort to sim swapping or complex solutions to bypass MFA. I’d bet with the diversity of users on an app like Wyze, give me a 100 emails and I’ll get an account access, bypassing MFA.
You ask:

A lot, depending on what we’re talking about. However, if my security is dependent on other users, we’re all in trouble. As others mentioned, in relation to this app, it’s no big deal. While there is some limited value in accessing cams, it is dependent on a bad actor having access to a lot of information to make it worthwhile. The thieves that might benefit from it aren’t going to be doing in-depth analysis of a $30 front door cam.
The point we are making is not whether to give the ability to use MFA, but to give the user the option to decide for themselves. For this app, I’m happy with secure device level auth that doesn’t require a public key and lowers the man in the middle attack chances.

As others have noted in detail, that is a disingenuous summary at best.

We want Wyze and other “cloud” providers to secure all our information and access (not merely authentication methods and credentials) to the best of their abilities. Making me carry a phone and type additional auth codes (or enroll and trust in a third or fourth party authenticator company) doesn’t affect how Wyze is securing my information! It only reduces MY risk, and I want to continue to be able to make that assessment and trade off. Asking users to do more for little or no gain is NEVER okay. Technology companies have, effectively, magic at their disposal to solve a myriad of potential issues without burdening their users and customers. Too few of them do this.

2 Likes

You may be correct. I was accessing TinyCam pro from various devices including Chromebooks and Chromeboxes. ChromeOS devices can no longer install the Wyze Android app (Wyze needs to fix this) so that could be the reason??? Since I’m not concerned with somebody viewing my camera feeds I’m comfortable leaving 2 factor off.

1 Like

Thanks for a detailed and well reasoned reply, @Rareapple3 – I’d say we agree with each other very nearly 100% - with the minor differences only being a matter of degree or of which specific circumstances we are considering.

When I spoke of individual accounts not being worth much effort securing, yes, I was talking specifically about our Wyze accounts and talking about customers who show at least as much good sense as a rock (e.g. not having cloud-based cameras in sensitive areas).

I absolutely agree that businesses need to have adequate security for sensitive data – both their working data and whatever private data they choose to keep about customers (many businesses increase their risk by keeping too much data on their customers).

My objection to “excessive” security measures is primarily about individual accounts in what are simply social settings with no financial or other material connections. Look at how many online forums are implementing so many of those so-called “Best Practices” – I think of any that don’t require at least a so-called “strong” password - buy why? And how much does such “security” actually gain when complex passwords simply encourage reuse by so many users who have no desire to memorize twenty or thirty different combinations of pseudo-random MiXeD cAsE a1phanum3r1c characters just to log in to different platforms to discuss their analysis of the lyrics of some hit song that no one will remember next week.

There is (or at least should be) a sharp line between the security needed for business data and the trivial level of security needed for most non-commercial systems like social forums and games.

And, yes, I realize that the line between those has started to become blurred as we have a generation who cannot comprehend either the distinctions or the reasons why those distinctions are important.

1 Like

This is like a bunch of middle-aged (pejorative)'s acting like they’re fresh (body part)-ed virgins.

Commercial backdoors. Govt backdoors. Alien backdoors.

We’ve had more traffic through our backdoors than… :astonished:

Aside from that, secure.

Webcams are easily hackable. Thus 2 Factor Authentication is a MUST. The same applies to your Home Internet Router which comes with a default user name and password. Many people do not know that they should change the access to the router itself.

A webcam can be hacked without hacking the actual user acount. And I’m not sure that wyze’s implementation of 2FA applies to the actual camera. If everytime the camera got a firmware upgrade I also got a SMS text about 2FA for the camera I would be putting the camera out it’s misery by hittimg with a hammer.

2 Likes

Yeah that’s simply false. Newer “webcams” like Wyze’s don’t receive unsolicited traffic on open ports. Instead they sit behind consumer routers and make outbound connections ONLY. They essentially cannot be hacked without compromising the “actual user account”.

Obvious exception was the Wyze local network only vulnerability.

You mean hackers never use phishing attacks to compromise user devices connected to their local routers… Wyze 2FA only protects the app on the initial logon and if the app is not logged off and is never re-authenticated when the wyze app starts again there will never be a problem.

In that case your account was not hacked the customer just allowed wyze app to start and not re-authenticate.

Please elaborate on how cams are easily hackable.

The last few home routers I’ve seen don’t have a default uid/pwd and they all come with WAN access turned off, if it is even an option. Commercial routers often have default uid/pwd but they pretty much figure you should have a clue if you’re setting one up.

3 Likes

2FA doesn’t protect against phishing attacks that can take control of your device. The only thing that is 100% effective against those is an educated user.
Most breaches today are the result of phishing. Much easier to have someone give you access than it is to hack from the outside-in.

2 Likes

If you use a 2FA yubico authenticator app rather than Google, Lastpass, Authy, etc apps even if you ‘lose’ your phone nobody can get / use / see the generated codes on the app as it needs a USB / NFC key to activate it every time

Ok it takes a couple of seconds more but so so safe

1 Like