Response to the 3/29/22 Security Report

Well written and excellent points!

As noted above, I agree with the timeliness issue.

But you should know that giving out your wi-fi password willy-nilly is far more risky than security issue here. Routers/Modems have many security features that protect people’s home networks and those are useless against someone who has local access.

The issue, as described by BitDefender, wouldn’t even be hacking if you have LAN access. It would have been trivial for you or any individual to access your Wyze camera (IF AND ONLY IF you put a MicroSD card into it, according to BitDefender). No specialized skills necessary, no hacking required. (The hacking part would only be required to gain access to your home network).

Far greater danger comes from someone who has persistent access to your LAN (e.g. someone with your wifi password).

Just want to give some context here.

If it were the “first straw” I might be able to let go. But it isn’t. For my it’s the “last straw” of way too many irritating and obnoxious ones before.
So my new cams are arriving tomorrow. I’ll have them running this weekend hopefully. And Wyze can go and be whatever they want to be, but it will be without me.
You took no responsibility at all in your statement. None. Zero. Zilch.
You have plenty here to explain. And you didn’t. So best of luck to you. You’ve had all the money from be that you ever will.
Goodbye.

This is the only part that surprises me a little. As @carverofchoice said to much comedic effect, web access is something users have been requesting for a long time and it’s surprising that no one stumbled across that before. I wonder how the necessary URL needed to be crafted…

I’m hip to your point about “giving out wifi passwords willy nilly” but that’s a pejorative judgement that is beside the point. Not everyone lives in a robust 5G or even LTE location. In that case, allowing a visitor access to the LAN is humane. I would hope a LAN owner would have guest access set up beforehand or at least change the LAN password after the fact, but human beings are imperfect and/or technology advancements commonly outpace users’ knowledge and they don’t always understand the risks of using it. Not everyone reads the TOS or privacy notices. Not everyone believes or understands the significance of Edward Snowden’s whistleblowing nor understands how the Patriot Act affects their lives. Technology has introduced a profound erosion to any realistic expectation of privacy. That means we all need to try harder and be much more vigilant in our efforts to protect our privacy.

BUT all of that is irrelevant to the fundamental issue in regard to Wyze’s irresponsible behavior. When a company becomes aware of a vulnerability in their products or services that is contrary to their customers’ interests, the company has an obligation to inform their customers in a timely manner.

Everything else sounds a lot like victim blaming designed to distract and deflect.

After disabling motion videos for 12 seconds and all the other issues I’m finally done with wyze and for the person that wrote their giant article above good luck with you buying all the v1 ones on the market cuz mine are going in the trash along with rest of my cameras I’ll be switching to blink and won’t be looking back

You do know that the 12 second videos can be restored (and for free) by subscribing to cam plus lite, right? There’s several posts and walk throughs if you’re having difficulty doing so.

I tried and it wants me to subscribe and pay. I don’t see any other way

You can click custom amount and enter 0. Make sure you’re on the cam plus lite page. You’ll need to do this from the website and not the app.

Screenshot_20220317-0754251080×2160 161 KB

Screenshot_20220317-0754301080×2160 183 KB

Screenshot_20220317-0754521080×2160 198 KB

Screenshot_20220317-0754591080×2160 156 KB

Hi. Does this security vulnerability apply to the Wyze V1 Pan Camera? I’ve not see anything referenced to that product, just the V1 Wyze Cam. I have V1 of the Pan Camera.

This was a huge blow for Wyze. They have lost my trust. They knew for 3 years there was an issue here. What if in 3 years we find out that cam plus had a flaw and our cloud recordings are in the wild? You want the risk of a company not telling you that the inside of your home could be watched?

I don’t.

Thanks but they lost my trust. And I don’t have do anything with Blink so I’m still trashing my cameras. I have them at a few properties and will never recommend them anymore to anyone.

The vulnerability that was exposed was minor, to be frank. Someone would have to have already accessed your wifi. Unless you’re turned off and bypassed all the security measures on your router, you weren’t vulnerable to this type of hacking.

And it’s highly unlikely that someone that would have the know how to do all of this once they could log onto your home internet would target regular people anyway. They’d spend their time on much more profitable targets.

Honestly, I really think this is a mountain out of a mole hill situation.

Oh I agree but the fact that for 3 years they didn’t report it to consumers? Think about this. You have the locks changed on your house. You find out 3 years later that the locksmith failed to tell you that with minimal manipulation your doors can be opened. These cameras are used for people to keep an eye on their property, loved ones and for security. You can trivialize the security problem but the trust is lost. Many people could care less about integrity and in our connected world people are willing to compromise that. No thanks.

@UserCustomerGwen - mostly just tagging you to make sure this is read.

As a software engineer myself, I understand the limitations in the v1 cam and that any patching takes time. I also understand the local access limitations, and how ‘access to internal network traffic’ is a barrier to easy exploitation.

However, there are failures here that I think Wyze will need to demonstrate that they will learn from:

• Disclosure timeframe - We would all love to say patches should be ready within minutes and deployed, and we can know about specific risks within a day or two; the majority of us also realize that’s unrealistic. However, waiting years to disclose a security bug - even a patched one - is frankly unacceptable. Without disclosure, users can’t evaluate their risk.
• Disclosure detail - The community of curious security researchers - those who would care about exact attack vectors, proof-of-concept code, etc. - is small. However, disclosing the specific risk, exacerbating and mitigating factors, and other pertinent details is important. Again, without disclosure, users can’t evaluate their risk. The v1 retirement message - that you can’t guarantee the security - is no replacement for knowledge of specific risks. Yes, you don’t want to tip off about weaknesses before users can patch or replace devices - but there is a difference between ‘theoretical issues’ and ‘known issues’.
• Defense-in-depth: Security isn’t just as good as the weakest link, it’s a combination of the weaknesses in all links. Access to your wifi (or, theoretically, wired network) is not that high a bar; malware on a PC or other IoT device is not uncommon. WPA2/WPA3 encryption will inevitably be broken as a whole, and some bad implementations are vulnerable. You protect every link as much as possible.

One thing that is important to note here is that while there are technical failures (this bug, overreliance on network security), a lot of this comes down to communication. Being frank with your customers is important, especially if you’re a security company.

In fact, that last part is part of why I’m writing this message. It’s a very bad look for a company with a security kerfuffle - even if they think they are in the right - to send out ‘Sign up for Wyze Home Monitoring’ to ‘Make your home as secure as possible’ during issues like these.

Wyze needs a real mea culpa moment here. Not firing a scapegoat, not a bunch of fluff to ignore it, and not a bunch of products, features, sales or offers to move to a different narrative. Wyze needs to communicate clearly what has changed, what still needs to change with their culture, and how they plan on regaining lost trust.

For an interesting comparison, consider LastPass. I don’t use them anymore (they’re walling off features and not really improving the product anymore), but I started using them after they announced a semi-successful hack. Why? Because they detected the hack within hours, notified users in less than a day, described how the risk was limited (the values captured were hashed and salted, though this isn’t bulletproof). Most importantly, they implored users to change all stored passwords and warned them early enough that it was guaranteed to be effective. Hugely annoying - but practical and effective!

Vulnerabilities and attacks can be success stories, but you have to do the right thing and communicate well!

You’re comparing apples to oranges, quite frankly, and it’s not a good comparison at all.

I agree with your overall assessment of the flaw and agree that I would have considered it more of a feature than a problem. The real issue is the lack of transparency by Wyze.

The vulnerability that was exposed was minor, to be frank.

Yes it was.

All that “drama”

If it was so minor, why not disclose it? The more ppl say it’s a nothing burger because it would’ve only effected pol who were doing something that deserved it, the more I hear, “she was wearing a low cut blouse. So…”

When did v2 come out. Depending on that factor, the implication is that Wyze chose not to disclose it for fear of it impacting its bottom line pending release of the v2.

Can anyone add light as to the timeline of the Wyze product releases?

The solution to ending “the drama” as you call it is for everyone and especially Wyze to admit they failed in their duty without qualifiers and excuses.

You can try to sum it with a simple idiom but I’m done.