@UserCustomerGwen - mostly just tagging you to make sure this is read.
As a software engineer myself, I understand the limitations in the v1 cam and that any patching takes time. I also understand the local access limitations, and how ‘access to internal network traffic’ is a barrier to easy exploitation.
However, there are failures here that I think Wyze will need to demonstrate that they will learn from:
- Disclosure timeframe - We would all love to say patches should be ready within minutes and deployed, and we can know about specific risks within a day or two; the majority of us also realize that’s unrealistic. However, waiting years to disclose a security bug - even a patched one - is frankly unacceptable. Without disclosure, users can’t evaluate their risk.
- Disclosure detail - The community of curious security researchers - those who would care about exact attack vectors, proof-of-concept code, etc. - is small. However, disclosing the specific risk, exacerbating and mitigating factors, and other pertinent details is important. Again, without disclosure, users can’t evaluate their risk. The v1 retirement message - that you can’t guarantee the security - is no replacement for knowledge of specific risks. Yes, you don’t want to tip off about weaknesses before users can patch or replace devices - but there is a difference between ‘theoretical issues’ and ‘known issues’.
- Defense-in-depth: Security isn’t just as good as the weakest link, it’s a combination of the weaknesses in all links. Access to your wifi (or, theoretically, wired network) is not that high a bar; malware on a PC or other IoT device is not uncommon. WPA2/WPA3 encryption will inevitably be broken as a whole, and some bad implementations are vulnerable. You protect every link as much as possible.
One thing that is important to note here is that while there are technical failures (this bug, overreliance on network security), a lot of this comes down to communication. Being frank with your customers is important, especially if you’re a security company.
In fact, that last part is part of why I’m writing this message. It’s a very bad look for a company with a security kerfuffle - even if they think they are in the right - to send out ‘Sign up for Wyze Home Monitoring’ to ‘Make your home as secure as possible’ during issues like these.
Wyze needs a real mea culpa moment here. Not firing a scapegoat, not a bunch of fluff to ignore it, and not a bunch of products, features, sales or offers to move to a different narrative. Wyze needs to communicate clearly what has changed, what still needs to change with their culture, and how they plan on regaining lost trust.
For an interesting comparison, consider LastPass. I don’t use them anymore (they’re walling off features and not really improving the product anymore), but I started using them after they announced a semi-successful hack. Why? Because they detected the hack within hours, notified users in less than a day, described how the risk was limited (the values captured were hashed and salted, though this isn’t bulletproof). Most importantly, they implored users to change all stored passwords and warned them early enough that it was guaranteed to be effective. Hugely annoying - but practical and effective!
Vulnerabilities and attacks can be success stories, but you have to do the right thing and communicate well!