This is not secure

peepeep · April 18, 2019, 1:51am

Update:

ember1205 · April 18, 2019, 9:35pm

Since this thread seems explicitly aimed at understanding exactly how much more I would be willing to pay for this exact camera with all of the security items addressed, that’s what I’ll focus on.

$0 more. Why? Because I don’t buy an item BECAUSE it’s inherently insecure, but I may be willing to buy it IN SPITE of it being insecure. In the case of this camera, I landed somewhere in between. I’m not aware of Wyze making any statements about the potential lack of security of the camera, so I could argue that I sort of bought it because I felt it WASN’T INSECURE. Still, it’s a pretty inexpensive device, so I don’t know that I had a lot of expectation of being secure (so I sort of bought it IN SPITE of it being insecure).

At the end of the day, this camera is extremely inexpensive and I’m ok (to a point) with the potential security risks. Wyze has specifically outlined information about various TUTK servers that are NOT outside of the US and how to get cameras to use THOSE. That’s a good step.

I’m more interested in seeing the app be enhanced with more useful features and I’d like to see my cloud recording remain in tact for a much longer minimum amount of time. Or, I’d like the ability to record all captures to SD-CARD only and to NEVER stream those in any fashion but direct from camera to app.

Personally, I HATE cloud services. I’m sick and tired of investing money into things that are completely dependent on these Internet-based hosts that go down, take my devices offline, or completely disappear when a company closed up shop leaving my products completely useless.

Want more money from me per camera? Give me an offering in exchange that requires ZERO dependence on a cloud offering of any kind (I’ll configure my home router to use Dynamic DNS and set the app up to find my router and connect in on its own, and when I’m on the local net, UPNP can determine the internal addresses of the cameras and not need the DDNS at all).

peepeep · April 18, 2019, 11:02pm

Actually, if it seems that way it’s probably my fault. I composed the poll/questions and I’m just an active customer.

Note how company principal @Frederik responds here:

I think the thread’s overriding goal is:

To address all questions about the privacy/security of the Wyze cam and its supporting systems.

OP @metroplexchl, wouild you agree with that?

ember1205 · April 19, 2019, 5:03am

Thanks for the response.

While I understand what @Frederik is getting at, to say that charging more for the camera won’t make it more secure isn’t 100% true.

There are a multitude of places that the revenue generated from selling a camera goes. It pays for the parts, the time to design the camera, the cost of assembly, and the time and effort that goes into developing the software. There’s an additional expense associated with marketing and selling as well as to pay for the cloud services that are part of the base service as well.

While simply increasing the cost of the camera doesn’t make it more secure, that additional revenue can be put to use to leverage a more secure overall architecture, pay more people to write code so things are developed more quickly, and other similar things.

No, nine women can not make a baby in one month. But you could end up with nine babies after nine months instead of just one… Or, by offsetting each by a month, you would have 9 babies after 17 months. Either way, you put in more, you get more back. And while a cost increase today doesn’t immediately make that camera more secure, building out the underlying structure for that higher security platform (which is almost entire software and has little or no direct impact on the camera itself) and then deploying a more expensive camera to the more secure architecture WOULD make the camera more secure “immediately” (but that platform has to be designed and built before the add-on cost could be charged).

Make sense?

Frederik · April 19, 2019, 6:51am

It does.

And we are working on a few initiatives to continue boosting the security, while enabling a few new capabilities.
We fully understand that the bigger our brand, the more a target we are becoming and we are acting in relation to that.
One of the thing that is also a limiting factor is the number of changes that you can make at a time. In our case, some of our improvements and changes are so fundamental that any other attempt to build would be going for the trash as soon as the improvements would hit production.

peepeep · April 19, 2019, 7:04am

PROVISIONAL SUMMARY

With respect to cloud cameras:

Privacy | Security | Trust | ~~Money~~

peepeep · April 19, 2019, 7:04am

Do you trust Wyze to work exhaustively toward world-class cloud cam privacy/security?

Yes
No

0 voters

gemniii · April 19, 2019, 12:37pm

Do you trust Wyze to work exhaustively toward world-class cloud cam privacy/security?
NO!!!
I don’t TRUST “Wyze” at all (well maybe a little bit).
Most of the people responding on here seem to have LITTLE OR NO concept of security.
ANYTHING transferred over WiFi is hackable.
Put more “work” into an eyeball.
A camera my 94 yr old MIL can stick on the outside wall that is battery/solar powered and pipes to her TV.
/edit - perhaps I was a little too harsh in my NO, but to work exhaustively toward world-class cloud cam privacy/security seems like a dedication of resources.

peepeep · April 19, 2019, 2:43pm

In your estimation, given Wyze’s company size, how much of a “person” must they dedicate to fulfill an exhaustive commitment?

peepeep · April 20, 2019, 12:38am

I’m willing to trust, willing to bet Wyze will back up their claims.

Funny, I didn’t immediately have a solid answer. Set it aside until this afternoon when it settled in the affirmative.

todwatts · April 24, 2019, 2:32pm

Most of the people responding on here seem to have LITTLE OR NO concept of security.

Gemniii, you said your “no” was a bit harsh … but then you go on to pretty much malign “most” of the people in the WYZE community.

My car, my wife’s car, our cell phones, our t.v.'s, TIVO’s, our smart lights, our iRobot Roombas, my laptop, our iPads, my iWatch, our Online banking, Acurite Hub, multiple Sonos speakers and soundbars, Nest Hello, Google Home, Western Digital MyCloud, Sump Pump wifi alarm, and yes, my WYZE cameras all broadcast over wifi and most on the internet.

I would be willing to be that all of us here on the WYZE community forum understand everything you are saying … and yes, we all know that any wifi/internet device can be hacked.

Please don’t insult our intelligence by saying we don’t understand hacking and security.

Having said all this … I think it’s a personal choice as to how “risk” a person is willing to accept … and yes, how much “faith” we have in the manufacturer and programmers of a wifi/internet device we install in our homes.

Of any wifi/internet device I’ve installed and “accepted” into my home, I can only think of ONE(1) … I repeat, ONE(1) … manufacturer which has time after time shown such concern for its customers … and that’s WYZE.

I firmly believe that WYZE is constantly looking to improve the security of its devices and software … and is really concerned at every single report here on the forum, or in an incident report, or on a phone call or a chat, about every single problem and concern of WYZE cam users.

And I’ll bet that 99% of the folks here on the forum feel and understand the same … that WYZE truly has our best interests at heart.

ember1205 · April 24, 2019, 3:30pm

While there are definitely many here that DO understand hacking and security, there are almost certainly a much higher percentage that do NOT truly understand it at more than a cursory level.

To that end… I would be less concerned about your Roomba being attached to WiFi than I would about the fact that it’s uploading a virtual ‘map’ of your house to the cloud. Hack THAT, and you have a complete floorplan of your house to use when breaking into it at night.

gemniii · April 24, 2019, 3:40pm

The question I was responding to"
Do you trust Wyze to work exhaustively toward world-class cloud cam privacy/security?
I’ve a background in Army fielded computer systems where often a Top Secret or higher was needed.
It takes a LOT of resources to make computers secure. The best methods involve surrounding them with armed guards,
There have been many posts about people fearing their baby-cam stream will be stolen, I can understand their concern, But there is a big tradeoff between building a world-class cloud cam privacy/security system and selling one with a profit margin that allows the company to continue to sell them at such low prices.
As WyzeFrederick put it "Last point! I swear it is! Doubling, tripling, quadrupling the price of the camera will not change the privacy level of the camera. This is not a cost matter. It is a resource and a pace at which we can make the changes happened. "

It is a tradeoff, and just like everything else we have to choose. I hope Wyze continues the way they have been going.

They seem to take security as a high priority, along with many other priorities.

peepeep · April 26, 2019, 2:27am

Companies generally soft-pedal security risks and exaggerate their efforts to protect their customers from exposure and harm. If people were fully informed, the argument goes, their caution in buying (versus urgency/impulse) would have a negative impact on the bottom line.

Consumers are better off being dumb and happy. We’re actually promoting a higher quality of life for them when we steer them away from stark reality. As Colonel Jessep said, “You can’t handle the truth!” We will handle it for you, keep you at a safe distance from that purposeless anxiety.

You get our miraculous product and we make a “reasonable” (if not tidier) profit monetizing things you wouldn’t try to hide even if you could. Alexa, cue patriotic songs and chants. Syri, monitor response. Cortana, you aren’t aging well - perhaps you should consider a career change. -Composite exec

Collectively, as a herd, we are already pwned. Now, here “I” am, stringy little maverick, compromised by the herd’s indiscriminate embrace of… EVERYTHING. "Oh, look, “I say, “I take all the precautions, I’m good.” But if I want to remain fluidly social, YOU compromise ME when we interact (at my 'secure” home, via email & otherwise.)

And those vaqueros, social, societal, governmental, are not gentle. Think spurs, bridles and bits, branding, hogtying and vaccination chutes. It’s good to be beef. Ain’t it?

Sure.

peepeep · April 27, 2019, 3:49am

A few items in support:

I’ve told my extended family, “Please do not share sensitive personal information about me in email. Email is like a postcard: transparent in transit to whomever is involved in the relay. Would you write that on a postcard?” They look at me blankly, deaf to my pleas. As long as the consequences are not immediately apparent there are none.
Mail older than 6 months stored in a common cloud account is accessible to authorities without a warrant. Does anyone care? It sure is convenient to be able to search through years of online purchase transactions (for instance) from anywhere on any device. So, actually, no, most don’t care, even when informed.
If you were alive and tech sentient twenty years ago you remember when the vision of cloud computing was rolled out. A significant segment of society then still cared about owning and storing their own data locally, so insouciance took a generation to fully develop.
Contemporaneously, device Unique ID (UID) caused an outrage when it was discovered Intel had furtively etched their chips with 'em. Now we’re just happy they’re etching our chips and not our dental work.

Please correct, refute, or add other instances if the spirit moves ya. -peep

alexey.vasilyev · May 2, 2019, 7:45am

There was recently discovered a serious vulnerability CVE-2019-11220 with P2P cameras powered by a competitive iLnkP2P company (nothing to do with with TUTK P2P used by Wyze Cam). It is possible to access camera remotely just knowing it’s UID. At least a couple million iLnkP2P cameras are affected.
More info is available via https://hacked.camera/

ember1205 · May 2, 2019, 12:18pm

Actually, this was not recently discovered, only recently publicly published and discussed.

peepeep · May 10, 2019, 3:43pm

Alexa, forget what I told you to remember.
Sorry, I don’t know that.

tiadog666 · May 13, 2019, 7:11pm

The question of security of information and its cost is very much dependent upon the actual value of that information.

Personally I doubt very much that masked intruders will hack into my wyze cams to assess the value and ease of availability of my assets in my home.

Similarly if little Johnnie or Jennie want to hack in to see me walking to the bathroom I don’t much care either.

I have a ring doorbell as a deterrent and for convenience. Similarly wyze for a little bit more security and peace of mind.

Do I worry about someone spying on me without clothes on ? No, not at all.

It’s an interesting discussion and nothing more.

peepeep · May 14, 2019, 3:29pm

Just out of curiousity, did you read the whole TL;DR thread?