Here 1324670
Was so confused. After trying to get the cameras back online Friday, my daughter showed 12 devices shared with herâŚwe only have 8 cameras. She was so confused. She clicked on one named Livingroom cam (which we also have)âŚwas live view into someone elseâs home. And another one named Aliceâs something or otherâŚshe then clicked on who had shared themâŚit was not my email, she deleted the 4 cameras. Pretty bad, tbh!
My apologies for being a neophyte. Does everybody understand that all motion events are available to anybody with access? I was NEVER told this. This camera was supposed to add to security, not detract FROM it!
Andrew Buckwell.
Do not forget that if you have an outside driveway doorbell camera, they know when you leave your house/garage!
This is not true. Only you have access to your cameras events (and users you have shared your cameras with).
In this case there was an issue that caused some of those event thumbnails (and maybe videos) to be visible to other users for a little bit, but this is not how it normally works and the service was shut off when wyze realized this.
All cloud based cameras work like this. Even photos on your phone that are backed up and stored on central servers or databases.
1 Like
I am also curious about AWS involvement in this. Wyze has had a lot of outages recently, and they always say itâs due to AWS even though most of the time there are no AWS issues reported.
Most likely itâs like others have said, the issue only affects the servers of a specific client (wyze), so itâs not necessarily for AWS to report it. I donât fully understand how large cloud providers like AWS operate but is this normal?
Why do other services not experience as often of outages. I know many larger services have fallback cloud providers, is wyze not at the scale that this is possible to do, or is that something that should be considered?
Some additional technical details would be great if possible.
1 Like
So at this point itâs been ~12 hours and I still havenât received an email from Wyze. I know my account was possibly affected because I tried logging into wyze and wasnt able to access my camera around the time of the incident.
I contacted support and the support agents seem to have no idea what is going on. I pointed them to this forum and one of them copy-pasted the message text from here into a support chat. Frankly they seemed to have no idea whatâs going on
Normally they are only available to your own account - no one else. This issue last weekend did result in a very small number of events being able to be seen by some other account.
1 Like
Here is a link to the latest update from @WyzeDave.
3 Likes
I did say âaccessâ My concern, obviously, is âIllegalâ access, which happened here.? This whole episode has opened up a âcan of wormsâ in my head. So if a Wyze camera is used as a baby monitor (I was considering this) everything is being recorded in some central computer?
Yes, thatâs how the cloud works. Cloud events are uploaded to a data center (or multiple), where they are stored for 14 days, used for AI processing (if enabled), and sent as a notification to your phone (if enabled).
The only way for features like those to exist are with cloud events.
Even some cameras like Eufy, that said they were 100% local, were discovered to still upload your thumbnails to the cloud for notifications and facial recognition. Even worse those were visible to anyone on the internet, and not even temporarily. Eufy tried to deny it but eventually their parent company admitted. Wyze has never made any claim to keep your data local.
If you want local only recording you will need to get an NVR. Some of the higher end models support AI features as well, but they are well above the price range of wyze cameras.
1 Like
As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.
Iâm sorry, but this is absurd. Increased load doesnât cause code to decide that a key is x instead of y - a race condition would, but this sentence suggests that code arbitrarily decided to change mappings because it was stressed out.
5 Likes
Yeah this is why I think it would be helpful to disclose more technically what happened. I would imagine that ids would be something very unlikely to collide like uuids. If that were the case then what led to one id getting mixed with another.
Having more details would help clarify these questions and lead to less ambiguity and speculation.
It sounds like theyâre trying to use AWS as a convenient excuse. If AWS was truly at fault last time and this time, they would have lawyered up and hand delivered the lawsuit papers to Amazonâs corporate offices and try to get all the money they could for the damage done to their name and reputation. It might vaguely be related to AWS but at the end of the day itâs their code that didnât recover after the event.
3 Likes
Hi Wyze - thanks for the timely update.
Instead of a caching library, may I suggest caching data on a CDN? Sounds like that would be a better solution and also brings the content closer to the customer, improving performance. Edge computing will allow you to enforce proper AuthN.
Also, this sounds like a design issue, rather than a true security incident as that makes it sound like you had a malicious actor.
Frank
+1. If a publicly available caching library is returning arbitrary values when under load, this is a log4shell-level vulnerability and needs to be expounded on for the good of the public. If Wyze screwed up in their implementation (e.g. their hashing function crapped out under load/lack of memory and caused userIDs to hash to the same value, therefore causing the cache to load random device IDs), they should own it. Even so, there should be further authentication in place so thumbnails cannot be served with deviceID alone.
Only if you have the camera configured to upload motion events. If you want notifications and / or AI processing, then the motion event MUST be uploaded. However if you either only record to a local uSD Card or donât record at all, motion events are not uploaded to the cloud.
1 Like
Donât give me that feel sorry for us âhad to work all weekendâ BS. Facts are facts. Wyze is NOT a World class provider and cannot be trusted with the keys.
1 Like
One of my cameras is still offline and not working at all⌠
Which type of camera ?