I am also having the issue where my live web view keeps refreshing the page or logging me out every 5-10 minutes. I keep having to turn my cameras stream back on and/or log back in. I also want to know if we were exposed to others during this security issue, will we be made aware by you guys? I am concerned about my privacy and would like more transparency with this issue.
1 Like
I am also experiencing the issue of the Web View page refreshing every 5 mins or so and disconnecting the camera stream. This is not good. This started right after yesterday’s event and the site was brought back online.
This really shouldn’t be a surprise to anyone that’s familiar with WYZE…
I was seeing someone else’s Living Room too. I leave all internal facing cameras plugged into TP-Link Smart Outlets that are turned off until I leave the house and enabled thru Google Assistant routines. I have motion sensor notifications enabled on all internal cameras in case they are turned on by mistake…
2019 Wyze: Data Leak Exposes 2.4 Million Customers | PCMag
2022 Wyze Cam security flaw gave hackers access to video for 3 yrs - 9to5Mac
2023 Wyze security camera owners report seeing strangers' camera feeds | Mashable
WYZE marketing actually refers to them as Security Cameras - this is the latest “Wyze Cam Pan v3
Award-winning pan and tilt security, now weatherproof.” I refer to them as Insecurity Cameras when asked. You need to be aware of the firmware issues and the company’s history before you make a use determination.
3 Likes
And this boys and girls is why having cameras IN your home is not only creepy on multiple levels - it’s a bad idea.
7 Likes
Is there any way to lock down a camera so that any live streaming can only be done to local devices?
Not in the way you are thinking, no.
However, in this case, the issue did not apply to anyone who was not currently USING the webview and logged into it during that 30-minute window when it occurred. It did not affect anyone else. So it sounds to me like if you don’t have anything to worry about if you don’t use the webview because it means you weren’t logged into it, which means it didn’t affect you at all.
I read a statement from one of the Wyze Co-founders who said that it showed a total of 10 different customers’ accounts thumbnail images (people could not access anyone else’s livestreams) who were logged into the webview in a browser in that 30-minute window before they took it offline and fixed it.
This also did not affect anyone who just uses the app.
1 Like
FYI, This article is misleading and false on many levels. That issue did NOT allow “hackers” to remotely view the camera. Video could only be accessed by someone who was logged on to the local network (Router/WiFi). So there was actually little to no risk of anything and a lot sites were misrepresenting the truth because clickbait sells. I was actually extremely disappointed that Wyze “Fixed” this issue, because it has always been one of the most popular requests people have been asking Wyze to do ON PURPOSE for years now…then we suddenly found out it was possible and taken away from us in one fell swoop. My reaction to this “vulnerability” was as follows:
The only problem with this issue was that Wyze didn’t tell people for a long time and then “fixed” it. I personally wish it was never “fixed” and was just treated as a Network drive. Nobody gets on my WiFi without permission anyway, and I have a guest network with Device isolation anyway to keep guests out of anything important.
Point is, the second “issue” shouldn’t actually be considered a security issue IMO since it didn’t actually allow any remote access as sites falsely kept misrepresenting for clickbait purposes. Some of them even made corrections later, but 9-5Mac is obviously not one of them.
So far I’d say Wyze’s major issues are:
- Data security breach
- Taking a long time to tell us about the local SD card access (not really an issue that it existed though)
- Caching issue that leaked cache thumbnails, etc for 10 customers. Thankfully nothing compromising for any of them as far as I’ve seen so far, but still something that should’ve never happened. I think Wyze’s response was fairly reasonable (they shut it down within 30 minutes, fixed the global caching issue and explained what the problem was.
Steam had a very similar caching mistake, though they are bigger and theirs lasted for 90 min. So props to Wyze for responding in 1/3 of the time. I am not totally sure which was worse though…Steam leaked payment information for TONS of customers, and Wyze leaked some thumbnails for 10 customers. I think Wyze lucked out that none of the images were compromising.
Hopefully people think twice about where they allow internet cameras from ANY COMPANY to be (avoid bedrooms, or privacy critical areas). and hopefully companies figure out how to make sure their website caches never accidentally switch to “Global” caching again.
2 Likes
This is happening to me too and it’s most frustrating!
I only have my Whyze Cams Outside and in a Barn just for reasons like this.
You cannot trust Wyze or Any camera platform online to be really 100% secure all the time.
1 Like
Any unknown or unpublished open port or back door vulnerability on any device that has Internet access is a security violation. That’s not an opinion, it’s an industry standard.
In addition to the SD card flaw which allowed access to log files containing the UID (unique identification number) and the ENR (AES encryption key), the Federal Government published these…
https://nvd.nist.gov/vuln/detail/CVE-2019-12266
https://nvd.nist.gov/vuln/detail/CVE-2019-9564
Every successful IT hack/breach involves gaining unauthorized access to a device which is connected to the internal network [LAN] and has internet access [usually] protected by a firewall. It’s false logic to justify a security flaw using a comparative analysis against other companies failures. Anyone who doesn’t consider these security vulnerabilities a problem shouldn’t be a part of IT especially when it involves infrastructure and/or network security, which I’ve been [successfully] doing for 20 years, on an enterprise level for companies with a global footprint.
1 Like
I’m getting this problem as well. Multiple times an hour web view decides to refresh itself, so I have to press play and maximize again over and over. It’s getting really annoying. I mean, at least it’s not making me do the captcha every time it refreshes, but it’s still annoying.
Me too, I’m experiencing the same issue on desktop - every so few minutes have to hit play button again as viewing just stops! It’s supposed to be continuous - what is going on?!
I did read that, but for peace of mind it would be nice to have a setting where only live streaming can only be done locally.
1 Like
Yes! I agree that this would be an awesome setting option! I wonder how much effort it would take to implement something like that. I know the initial authentication has always required the internet to confirm with the Wyze server that your phone is authorized to access the camera feed, but after that, the Livestream to the app is peer-to-peer, and thus totally local if you’re on the same local network with the camera, so what you are asking for is a reasonable possibility.
I think the main questions would be how hard it is to implement and whether it would end up causing lots of people to accidentally toggle that setting on and then complain that they can’t access their cameras away from home or whatever and flood support with extra costs from it. IDK. Just thinking of how feasible it may or may not be. But it is an interesting idea.
1 Like
Please STOP my page from refreshing! This is super annoying!
Cant even see my own stream without interruptions!
1 Like
Strange, last week “Kitchen Cam” became listed in the live pc version of the viewer while viewing my front yard cam and I have only one cam. Never liked the live viewer. I wish WYZE would bring out a Windows viewer that is not a beta version and has more features than just Live View and Events. I need full time monitoring using a mini pc that’s located next to my work pc. Will not bother using Blue Stacks.