So interesting article (link at the bottom) and I have to say I am deeply disappointed that with as open as Wyze has been, they did not tell us of this happening and for three years before they decided to fix it. Plus all us first customers with first gen cameras will have to buy all new cameras because the older ones won’t get a patch fix as they are no longer supported. I have 6 first version cameras. Maybe a new company is in my future. Wyze confirms cameras were vulnerable to strangers watching your feed for years
Have you read the posts here:
Have you exposed your cameras directly to the internet? If not, highly unlikely anyone can access them.
Wait, what? Isn’t that nature of the camera, you know, accessing it through the internet?
Unless you have setup your router to allow direct access to the camera via port forwarding the answer is no. The router will block incoming traffic (i.e. connections from the internet) unless you specifically poke a hole to allow such communications. The Wyze camera and app both create outgoing connections to the Wyze servers which allows communication between the cameras and the app. You cannot open a web browser with a direct connection from the internet to any of your cameras.
It’s mostly a non-story. If you have a normal home router or cable company router or anything similar (and you don’t share WiFi with hostile neighbors), don’t give it a second thought. You are safe. Really.
Then how does this work and why was it a problem that needed fixing?
It works if someone can reach your camera’s port 80. No one in the world can do that if you have a home router. Period.
I imagine it had to be patched because it’s still a serious vulnerability for the VERY few granting public IP addresses to their cameras and for those who share WiFi with potentially hostile housemates or neighbors.
This is the worst advice I’ve ever seen on a forum.
Explain in minimal technical detail why that is so.
I’m betting your hat that you cannot.
I’m not sure what advice you find so bad. The postings from the press basically said that for someone to gain access to the data on your cameras, they either needed to be physically on your home network or you had to have done port forwarding to port 80 on the camera to expose it on the internet. If you didn’t do either of those things, your data was basically not at risk.
If someone was to gain access to and login on your home network then the data could be accessed…not the camera stream, just the data on the card. If someone has gained access to your local network, you have a lot bigger things to worry about.
I can. Direct access through your router is likely not a problem if you have a reasonably modern device. But, that is not the only way to gain access. A compromised pc (or any other device) is another vector. Malware attacks are happening all the time. Companies that spend far more time worrying about security than you or I do are the victims of ransomware. To assume it can’t happen to you is at best naive.
But again, that’s beside the point. Wyze has an obligation to relate these issues to it’s customers. If they don’t notify us if an issue that you think is no big deal, what are the chances they are going to notify us if a more dangerous attack. At no point has Wyze said they didn’t notify people because it was no big deal.
“Unlikely” even if “highly” is not exculpatory.
So who do you assign responsibility to if someone hacks your wifi? Wyze?
You can’t seriously say that - am already compromised PC means your router isn’t going to stop an unrelated inbound attack? That’s like saying your door lock is ineffective if a burglar is already living in your basement.
If your PC is already being remotely controlled because you installed malware then your router had zero to do with it.
What you’ve written here is nonsense and I have to think that you know it.
I’d be willing to take the blame for the sake of comity.
[Mod Edit]
NAT is NOT a security mechanism. NAT does not provide security. This is basic networking knowledge.
Having an insecure device on the network is an issue, period. Wyze allowed remote code execution on their devices for years. YEARS.
Leaving a serious remote code execution AND privacy bug in the product for two years is straight up negligence.
NOT patching an issue they knew about years before EOLing the product is also a crappy way to treat your customers.
Relying on hope and ignorance is not a security strategy. Screwing over your oldest customers is not a great product strategy either, but hey we all know Wyze’s business acumen is dubious at best.
There is no reason to trust a company that swept a serious security issue under the rug for years.
I’ve spent at least $500 on Wyze products, and I will never buy another one again or let them on my network.
MOD NOTE: Post edited to conform to the Community Guidelines.
How did the attackers get through people’s home NAT routers? Please show your work.
I never said anything about NAT. Why do you think I did. I have a router with a firewall. Can you tell me of any home router that allows inbound connections from the internet by default?
And for clarity your camera most likely wasn’t hacked: https://www.reviewgeek.com/113800/wyze-left-some-security-cameras-vulnerable-to-hackers-but-its-complicated/
"There’s a decent chance that hackers exploited this Wyze Cam vulnerability—Bitdefender and Wyze haven’t clarified that part of the story. But your cameras probably weren’t hacked.
As I mentioned earlier, this vulnerability requires access to port 80 on your camera. There are only a handful of ways for hackers to establish a connection with this port. Either they connect to your local network (which may be a guest network for some customers), or they intercept the port because you forwarded it to the internet."
Which is only inaccessible on most routers because of NAT
You are being intentionally deceptive and I’m not interested in continuing a conversation with someone like that.