Response to the 3/29/22 Security Report

To me, people here that are equating this to something similar to someone giving them keys to your house so they can walk in on you in the shower are a bit out of bounds. Security vulnerabilities in IOT gear, or any connected tech for that matter, are going to happen. no doubt. You can look through reports and find vulnerabilities for basically every tech company out there. Some go unpatched forever.

My point is we need to focus on what we’re mad about here.

3 years is much too long to secretly hold onto the knowledge, definitely. Wyze must do better with that, because trust is hurt with this as people don’t know that when a new vulnerability is found that it will be addressed timely. In my view the correct response (since the v1 was EOL already) would have been to immediately release the info and advise to stop using v1. However, we as consumers also must understand that technology is not supported forever and at some point products stop being supported and we cannot assume that EOL products will ever be fixed. That’s not an obligation at that point.

IOT is inherently risky no matter what company you get products from. It’s a trade off for the accessibility/ease of use. It’s short-sighted to expect those products to be supported forever.

Last thing: To those talking referencing that you give out your wifi password to every visitor you have…please learn about guest networks. That way you can share your internet connection to everyone you see in the world but they don’t have immediate access to everything on your LAN. It’s still not great to do that but beats letting everyone on your LAN.

4 Likes

Could there have been discussions about it because the original report dates back to March 2019 and your statement comes 3 bloody years later in 2022?! Seriously lousy response . . . just sayin’ . . .

1 Like

Exactly!

1 Like

Spot on

2 Likes

Perhaps the point is what many call transparency, not the graveness of the vulnerability. Having worked in numerous IT management functions (with some companies significantly larger and some smaller than Wyze) I know of few businesses which wait 3 years to talk about a security report. Folks are unhappy with the response, or lack thereof, more than the type of vulnerability.

3 Likes

Wow what a mess on the forum.
If there is a network plug or WiFi, you have to take into account that hackers can get to it if they want to.
I’ll be ordering a few more beautiful V3 models in the near future.
Have a nice day.

2 Likes

Exactly. Security is an illusion. Their employees and system have back doors to allow tech support and flashing of firmware. My piss is about the lack of disclosure.

2 Likes

I mostly agree with you, especially on the subject of Wyze’s irresponsible behaviour. However, the humane thing to do is to turn on what we used to call “guest network” at Cisco, long ago and far away … ::

1 Like

Messy indeed.

But I did get a WyzeLock today for 1/2 off. :joy:

2 Likes

Yep. I said that in a previous post myself. Thanks.

We were transparent with our customers and disclosed our inability to continue to offer necessary security updates in an email announcing the end-of-life (EOL) for this product. For security reasons, we again chose to remain prudent about the specific reason why until now to limit the risk to all of our affected users across affected models. We strongly suggest that our customers no longer use EOL products as security and other critical updates are no longer provided, and we continue to urge Wyze Cam v1 owners to discontinue the use of these products.”

Which PR firm did you hire to wordsmith this? And how do you blame customers for not heeding your “vaguely worded emails?” Sounds like you’re blaming the victims here for not intuiting the actual danger you failed to convey.

Also, the part I’m not clear on is you say “only if they accessed your network”. How many IOT devices have allowed exactly this? Remote access to networks?

I’m sure it’s all hands on deck right now but @UserCustomerGwen please clarify the level of access required for camera access.

Thanks.

2 Likes

Since v2 came out about a year after the v1, should we expect the v2 to be EOL in about a year? Or is it more realistic to expect the v2 EOL announcement to occur about 2-3 months prior to the next round of vulnerability disclosures?

I’m annoyed with the 10 mins I wasted reading this drama.

If yur annoyed with Wyze, you’ll prolly also be annoyed with hundreds of companies, especially auto dealerships.

Furthermore, human behavior itself is monumentally more frustrating, if one were to objectively evaluate it.

3 Likes

Q.E.D.

1 Like

LOl @raygam. You said it better thsn I could’ve.

I’ve said it elsewhare and it bears including here:

There are effective ways of bringing an end to drama and lessen the controversy when a mistake is made.

OR you can do what Wyze did and is continuing to do which is feeding the continued flap:

  • Refuse to admit a mistake/betrayal of trust was made.

  • Refuse to take responsibility for the mistake/betrayal of trust.

  • Refuse to listen to and respond appropriately to those who express a feeling of betrayal of trust.

  • Discuss the incident in a vague or evasive manner.

  • Make Excuses and attempt to shift blame.

Please, Wyze. Just admit you should’ve done better, full stop without excuses. Announce your plan for how this kind of thing will be avoided in the future. And endeavor to Make amends.

3 Likes

its dead already

439

1 Like

I’m out. The lack of true accountability and ownership here is galling.

1 Like

From early on, there were questions about Wyze. I understand that they use Alibaba cloud service which would allow the Chinese government to access all recordings. Ignoring that (which is a big concession) this new disaster is incomprehensible. Wyze tiptoes and sneaks around plugging their leaky garbage products so that people keep buying. Clearly Wyze is not an internet hardware producer, you are a database manager, and we are your source of information. Who knows what or to whom you sell the data. So to quote Gizmodo.com: " **If you have a Wyze security camera, my suggestion would be to rip it out of the wall and throw it in the nearest trashcan"

Nope. Just concerns over where the P2P director servers - that carry zero video traffic - were located. Nothing to do with Alibaba either.

Moronic scaremongering writer Lucas Ropek has already backtracked after someone finally explained to him what a router is.

6 Likes

You don’t need to be at all security savvy to have a router with NAT (all home routers have it) and thus be protected from this exploit. In fact, you’d need to be somewhat security savvy to have a camera that was actually vulnerable to this exploit from the internet, as you would have had to intentionally put the camera into a DMZ or forwarded port 80 to the camera in question. Now, if they are on your LAN, it’s a completely different story, but generally you have to assume that most devices on your LAN have at least a couple vulnerable ports open, with known default passwords or the like.
It is notable that this vulnerability wasn’t protected by any authentication mechanism, but when hardcoded support admin usernames and passwords for most devices are leaked within weeks of their release to the security community, it’s not really any less secure than any other device on your network.

4 Likes