How do the QR codes work?

I was thinking about modifying one of my cams to be telephoto capable so I could keep track of a problem with an intersection near my home.

And it occurred to me. If I modify the camera to only see/focus hundreds of feet away, how will I ever change its networks again? Will I need to screenshot the QR and print it and send someone running down the street to hold a paper? Will I need to call up a neighbor with a big TV and Android Screencast and text them the QR while I peek the camera in their window?

What is in the QR code anyway?

So I decoded one: (and of course mixed some characters around for modesty…)

the android qr app says it’s a “TEXT” type QR code with Metadata “L”. The text is:
b=2365324c-4ced-c4&s=VINFwQ==&p=WhgKltRcTEbU2IuMmQ==&t=-5&r=USA&ty=1

So it’s not a url. (It wouldn’t need to be I guess, since Wyze inc knows their cameras know what to do with it and they have incentive to keep it small.) Interesting that it looks like part of a url though.

I’m assuming b is either my account ID or a temporary association token
s is ssid base64 encoded
p is password also base64 encoded
t is timezone
r is country of course
ty I’m not sure about. maybe daylight savings time?

How are b and ty used?

Interesting that b is ascii-represented hex bits, but they used a different encoding for p and s.

Could I theoretically print out these qr codes to stick on the wall to make adding cams easier? If not, why not? How long are they good for?

1 Like

I can confirm that taking a screenshot of the QR code and printing it out to scan it has been successful for someone else.

If you posted the exact information contained in your QR code, might I suggest you change your account information since it may contain the information someone could use to hack your account? Also, I’d suggest 2 factor authentication to prevent this, and edit the above information, substituting fake characters as mere examples, rather than the actual information.

The QR code should be valid as long as your Wyze account information and network information remain the same. But you can always screenshot a new one at any time and print it off and run down the street. :slight_smile: or temporarily swap for a different lens, or tack on a different lens to shorten the distance or something. I’m sure there are many solutions.

Interesting, thanks. So the SSID and the password are essentially in the clear? That is not great, though also not a huge exposure by any means.

Personally I think the most logical approach is simply to do another temporary lens swap if and when you have the rare occasion to need a network change.

1 Like

IDK. I’m not bothered by it at all. If someone has such a good view of my phone during the short time of pairing a wyzecam, they can have my pw. Enrypting it effectively would require public private keys that could increase chance of breaking, and would at very least make the QR code bigger (more detailed) which is aproblem on phone screens which are often cracked [mod edit].

MOD NOTE: Post edited to conform to the Community Guidelines.

1 Like

So you’re saying it’s not a huge exposure by any means? :wink:

I’d be more worried about the NON QR code devices. You can easily contain visible light. Close the window. Push that russian spy who’s leaning over your shoulder away.

Some Wyze devices do their setup over RF. plugs and bulbs for instance. I have two old and two new plugs. The old ones use an unencrypted wifi network. Neighbors within 50-100 feet could be listening to and recording all wifi channels, like I do, and if so they very likely would get a copy of my credentials with no way for me to know if they received a copy or not. And to protect against that I’d have to put my whole house (okay, just me, my phone, my access point, and the wyze device) in a faraday cage, WITH an ethernet cable passing through the cage.

Bluetooth might also not be encrypted. That I will only speculate. But open wifi… any teenager can download Backtrack linux, put on the requisite eye shadow, and tell you how elite they are, while puffing on a vape pen.

You’re handing the plugs and bulbs only your WiFi credentials, no? Not the Wyze account credentials. So the exposure is still pretty limited (depending on the security of individual components on your LAN). If you were concerned you could go somewhere else isolated during initial setup, I suppose.

“go somewhere else”. Yeah, just bring with me:

My phone
My wyze devine
My Access point
My ISP…,…

Actually it just occurred to me I wouldn’t have to bring the same ISP I use at home. The access point yes though

Just bring a spare phone in hotspot mode set to the same SSID you use at home. Pretty trivial…

So. You’re telling me that if some yahoo brings an phone in hotspot mode of their own and parks in my driveway, my wyzecams might leave my own AP for theirs just because the name is the same?

I expected after setting up wifi, the Wyze devices would stick to the same AP mac address at very least

Basically no devices, Wyze or otherwise, are that loyal. And of course I mean using both the SSID and the passphrase. Didn’t you say you were an IT professional?

I very much am, but you need to concern yourself more with what you are.

How are you using the word loyalty?

Machines don’t have emotions last time I checked.

Huh? What I meant is that of course all of your devices will happily connect to any access point if the AP offers the same SSID, encryption protocol, and passphrase as those used on your devices. It’s how WiFi works.

Very few devices of any kind use the AP MAC address, they only care about the SSID name, the encryption type and the password. This is done intentionally throughout the industry and makes it easier for people to upgrade routers. I take advantage of this when I travel. When I went to Hawaii last fall, I took a Wyze cam with me and connected my laptop to the hotel WiFi using a VPN, then turned on the hotspot to mimic the SSID and password of my home WiFi, and my Wyze cam and all my family’s devices could use internet securely through my VPN without any risk of anyone being able to spy on anything we did.

There shouldn’t be a fear of someone intercepting your devices using a hotspot since they’d have to have and use your same WiFi password anyway, and if they have that, then using a hotspot at your house serves no real purpose anyway, and the risks to you are FAR GREATER than them trying to get your cameras on their hotspot.

However, I will say that several of my early Wyze devices did actually hate switching to a new router. They would refuse to connect to anything but the router they were originally set up on. It drove me crazy. Some eventually switched over after 1-2 days of waiting, but some never did and I had to go through set up all over again just so they’d connect to the new router even though it was using the same SSID and password. IOT devices aren’t supposed to do that, they’re supposed to be designed to only care about the name and password.

1 Like