Security hole with Wyze Cams was not disclosed to users?

I would call that the most concerning part.

  1. I’m really not too concerned that Eufy had some thumbnails in the cloud (despite promises everything was local…it does kind of make sense that if it is sending an image with the notification then that image had to go through their servers, so I can cut them some slack there, and it is easy enough to disable thumbnails if that is important to someone).
  2. And from what I am reading, not just anyone can easily view the stream unless they hav:
    • Serial Number of the camera (not easy to obtain remotely…it would basically have to be someone you know and trust already)
    • UNIX timestamp
    • hex key (they say it can be brute-forced in theory…assuming someone has ALL the other information, though I don’t know how Eufy’s servers would react to repeated suspicious brute force patterns like this…honestly after a few failed attempts it should do something to prevent or stall it. Plus you can’t run brute force in VLC, so it seems like you’d still have to do something to keep testing every individual brute force attempt to see if shows the stream…IDK, I haven’t read of anyone proving how easy the bruteforce hypothesis would be here, but I don’t claim to be an expert)
    • A validation token…though apparently you can just make one up because it’s not limiting things like it should.
    • It must be a little more complicated than sensationalized articles are making out to be because everyone keeps saying the details are tricky and they aren’t releasing the exact methods (to prevent bad actors from doing it), so it’s obviously not as simple as they want people to believe.

I think it’s still pretty unlikely for anyone with eufy to be at risk.

As for the Wyze issue, to me, I am mostly sad Wyze “fixed” it to be honest. We’ve been BEGGING Wyze to make it possible for us to access our Camera SD cards through our own WiFi, It’s one of the most requested wishlist items. We’ve been begging Wyze to allow this ON PURPOSE for YEARS. Nobody outside of your secure WiFi could ever access it, so…to me it was more of losing a feature I wanted but didn’t even know was there. :man_shrugging: I do get that some people were sad Wyze took so long to make it public, but it really wasn’t much of an issue IMO.

I am laughing at reviewgeek though…their article says they can’t recommend Wyze or Eufy anymore…even though the Wyze issue came out MANY MONTHS ago…so I ran a site search on them with the word Wyze and saw they’ve made several recommendations for Wyze products since then, including the V3Pro and the Mesh Routers and they appear to be using an affiliate/referral link in their articles so they can get paid for the referrals that they recommended to buy those Wyze products.
So…make of all that what you will, but I call total BS on their claim about not recommending new Wyze products. They’ve clearly been doing that for months since Wyze’s issue came out. It doesn’t make sense to suddenly punish Wyze for something Eufy just did, and they didn’t really care when Wyze’s issue actually did come out because they’ve been recommending Wyze products since then. So I’m just saying, something doesn’t smell right with their claim in this article. I think I’m getting a hint of sensationalism for ratings rather than honesty. :man_shrugging:

I guess I could be wrong though.

2 Likes