This is not secure

This thread on reddit is so very interesting. And so very over my head.

Still, I struggle to understand because I Sense there are core issues being discussed here. And I like. Core. Issues.

TinyCam Pro developer @alexey.vasilyev seems to me a skilled and insightful player in the smart cam space. As does Wyze’s own Senior Director of Technology & Services, @Frederik.

I wonder if these two would be interested in batting around the subject opened here (as their valuable time allows.)

Fortune favors the bold, they say. So I’m asking. :slight_smile:

Like this comment (or “hear hear” below) if it interests you as well.

4 Likes

I found this topic and sent the OP to get discussion going. I also asked two computer dork friends of mine that speak this very involved language to get better understanding myself. So from what I’m gathering, there are moments when the integrity of our data is not in our hands. While this disturbs me a bit, I think its important to keep it in context. You and I are paying for a bad ass $22 camera that makes things super convenient. I doubt seriously that a $22 can camera provide NASA-worthy security protocols. That said, I also don’t want to put it in my kid’s bedroom for Grandma and Grandpa to be able to tell them goodnight like we used to.
I am however going to buy 7-8 more of these cool little cameras and put them around the outside of my house/garage and in indoor places where naked people will not be exposed.

If you want top level encrypted data, don’t expect it from a $22 camera. Get ready for cameras in the 3-4 figure range. If you want a kick butt camera for fun things, this appears to be the best thing on the market IMO.

Just my 2 cents!

chris

3 Likes

In Russia, NTP servers do not accept requests for time. Russian NTP servers tell YOU what time it is!

:rofl: :computer::fist_right::eyes:

9 Likes

For me this boils down to trust. Is any one or any thing trust worthy? Is trust a quaint concept like privacy? “Don’t debilitate yourself with unrealistic requirements - embrace… it.” Whatever “it” might be today, and transform into tomorrow.

The TinyCam Pro program launched about eight years ago according to its page on Google Play. It has a rating of around 4.6. @alexey.vasilyev speaks forthrightly and persuasively in the forums. I see no substantial indictments against him on the boards. I am persuaded to trust him with my Wyze credentials because I WANT to use his excellent app.

At the same time I am advised by Wyze (in one instance on reddit by @Frederik) that “providing [Alexey] your user name and password is at your own risk and is not recommended…”

It’s an interesting dilemma.

Frederik says above, “We even bet the company by not accepting a round of investment that would have not favorably served our customers.”

Having spent three skeptical months on these boards I have come to believe I can trust Wyze and Frederik in that claim. It’s a claim I can enthusiastically endorse. I WANT to. And now I believe it is well-founded to do so.

So, roughly, Alexey says Wyze’s P2P protocol is untrustworthy. Frederik says giving Alexey your Wyze credentials is a questionable action that Wyze can’t endorse - but will not prevent.

What’s a dimwit to do?

One follow up to my response. Only wyze can initiate step 2 and 3 when connecting to the livestream. So Throughtek cannot eavedrop on the camera.
That’s the response I got from engineering.

5 Likes

tinyCam dev here.

Do not trust any cloud cameras, e.g. Wyze, Nest, Arlo, etc. Period. All credentials are stored on server and service admins have access to them. So they can view video from your camera and watch recorded video stored on AWS if they want to. And you will not be able to notice that.

Wyze uses P2P developed by TUTK for live view and HTTPS for getting credentials and uploading video to AWS.

TUTK P2P protocol is quite strange. I do not see valid description of P2P protocol and open source implementation. TUTK provides precompiled binaries for every P2P camera manufacturer, e.g. Wyze. I highly doubt that it is secured. AES 128 does not mean anything IMHO. There can be still backdoor. HTTPS protocol is secured.

Wyze made some improvements over TUTK P2P for encrypting credentials. At least TUTK admins will not have access to your live stream (if there is no backdoor of cause).

P.S. You should not trust apps as well. However it is always possible to decompile Android apps and check what the app is doing.

3 Likes

I don’t know how the rest of you feel, but when I’m not home, I don’t frankly care if some guy in china is looking at my feed. Enjoy it.

However, when I’m home I don’t want anyone to be able to see my feed, including Wyze or Amazon. So the interior cameras will be physically turned off with smart plugs.

At my cabin in NH, they are all always on, and then I unplug them when I arrive.

1 Like

Hi Don, I get what you’re saying. I run a lot like you.

My problem with this is that if you don’t stand on principle because, it’s not culturally valued, is a futile endeavor, I-can-take-informed-measures-to-protect-myself-and-will, etc, then the hoi polloi, who would be about as likely to change a setting or take prudent measures as a squirrel would be to stare at a smart phone all day, gets a long deep continuous drubbing and those protecting themselves by being informed and taking prudent measures (us) are forced to take ever greater measures because the trend away from principle is strong and getting stronger every day until, one day, there’s no more principle to stand on. Oops?

Based on the info in the thread above, would you use tinyCam software with your Wyzecam products?

  • Yes
  • No

0 voters

If you weren’t Alexey but Joe Blow user, how would you vote? :wink:

If there would be another choice, I would vote for not using cloud cameras inside your home. Use it outdoors :wink:

1 Like

As long as they are transparent, then i’m fine with it.

If I was motivated enough, I’d have local IP cams streaming to a NAS. More secure and private. But this is a trade off for having the luxury of easy setup and 5 cams installed for less than $150.

The people really getting screwed are the people paying $150 for a single Nest Cam who still have these same privacy issues.

4 Likes

Would you be willing to pay more for a Wyze v2 cam with ALL privacy and security issues resolved?

Let’s say double the current price ($50) would be the minimum required to support release of this Unicorn Cam. :unicorn: Are you on board with that?

How about tripling, or quadrupling? At what price point would you balk?

I would pay at most:

  • Not another nickle ($25)
  • Double ($50)
  • Triple ($75)
  • Quadruple ($100)

0 voters

As long as they are recording outside your own network there will always be a possible security breach. This makes the poll impossible for me to answer. :slight_smile:

2 Likes

Hi Angus. So Alexey’s

is definitive.

We’re all stuck wearing virtual condoms (taking prudent measures) for the forseeable future. I think maybe @gemniii influenced me a little in this :unicorn: hunt. :slight_smile:

Still, do you think the poll holds in the “Are you willing to pay significantly more for “perfect” security” sense?

Core issues update: Privacy | Security | Trust | Money.

1 Like

Dear Wyze, thank you for the license you grant community members to explore relevant topics that move them. Nothing ventured nothing gained is valid, in my experience, and as a young company you seem to understand this.

May you grow older with this wisdom intact and active.

If my appeal to principle (above) appeals to you at all, consider searching outside your filter bubble (we all have them) for the big 1st amendment event flying under the MSM radar this week. Press freedom. Worth preserving.

Cheers.

why does tinycam store the username and passwd credentials used to connect cloud camera in plain text?
this is freaking me out when i first found out.

1 Like

Given that this is a Wyze forum, not TinyCam, you may want to try to contact the TinyCam developer about this.

3 Likes

tinyCam stores credentials on app local folder which no way to access it if your device is not rooted. However if you make camera settings export to local storage or any cloud servers, usernames and passwords will be in plain text.

1 Like

Don’t trust these people. With Google’s model of the ‘Big Brother,’ even small companies started to mimic it and collect data from their users. I wouldn’t go as far as saying it’s spying for a foreign country, but I would definitely take it for granted that they are selling your data to advertising companies and to projects that works on developing AI.

1 Like