UPDATE YOUR FIRMWARE - Wyze Cam flaw lets hackers remotely access your saved videos ( * if they can gain access to your local network/WiFi )

It’s pathologically insane to require authentication for local access.

tell me. What kind of authentication is required to remove the SD card and put it in my laptop? What kind of authentication is required to disconnect power from a camera. Or to crush it under a mallet?

None.

Because you can do all those things locally. It’s not remotely. Local access trump’s all.

To say that this was remotely exploitable is as dishonest as it is idi otic. No TCP port on these cameras is remotely accessible because nobody has a wyze cam with the public IP. They’re all (>99.999%) on the inside of a one-way Network address translator.

And those .001% of people are no accidents. You have to work quite hard to put one of these cameras on a public IP and at that point you should know what you’re doing enough that you don’t allow the world to communicate with a closed source iot device.

Anyone on the local network could already be doing arp spoofing against the wyze cams or DNS poisoning or 802.11 attacks. A local user could man in the middle the cameras or crush them with a mallet.

It has been much the trend for some time to sensationalize anything that could be perceived as a security bug. It makes the speaker feel soooooo smart, and holier than thou, whoever made the product. It is attention-seeking. It is virtue signaling. It is posturing.

I’ve worked in cyber security now for almost 15 years. Real vulnerabilities do exist. But by and large the vast majority of announcements are technicality nonsense.

Sensationalist nonsense devalues actual vulnerabilities and betrays the public with alarm fatigue. It is because of the flood of these articles that nobody pays attention to real vulnerabilities when they do happen.

Just look at the four and five digits in cve these days. Really? Over 10,000 critical vulnerabilities a year? I don’t think you understand what critical means anymore.

it would be nice to have the option to enable authentication for local access. Simple HTTP basic authentication. But it should absolutely be an option that sane people can disable.

And you know what? Then you’re going to complain that the password is sent in the clear. And then what, you want ssl? With a unique ssl key on every wyze cam? Good luck with that! Vanishingly few wisecam owners know what a hostname is, let alone a CommonName.

Authenticated local access is essentially impossible to achieve in a technically accurate, secure way. So the sane response is to not waste time on local authentication and instead control access to the local network as we already successfully do.

I have at least a dozen other brands of hardware on my land right now from companies far more mature than wyze with no local authentication or local authentication disabled by me. Haven’t had a breach yet.

Is it “insane” to require authentication into your firewall/router, access points, managed switches, NAS, network file shares, network printers, etc, etc, etc? All of those devices are on your local area network as well and ALL of them require authentication in order to access them. Yet you advocate that others on your local area network should be able to remotely connect to the SD cards on your WYZE cam without any sort of authentication?

Remember, WYZE is still dependent upon WPA2 WiFi security. Any network hacker (with time) that wants on your WPA2 secured WiFi network will eventually connect. Thank goodness WYZE patched these vulnerabilities!

Furthermore, if the goal was to make WYZE look bad or to “virtue signal” and “posture”, why would Bitdefender wait until after patches were available? If Bitdefender was interested in any of the things that you claim, they would have released this information over 2-years ago.

This article states: “Typically, the window for responsible disclosure is 90 days, but Bitdefender contacted the vendor all the way back in March 2019. Publishing details on the vulnerability in the absence of a patch is problematic when it comes to smart cameras, so Bitdefender waited until the vendor fixed the issues.”

https://www.bitdefender.com/blog/hotforsecurity/wyze-cam-vulnerabilities-could-let-attackers-access-the-live-feed-research-finds/

That is a fight you need to take up with the industry that you have worked in for 15-years. Clearly your views are not in alignment with the rest of the industry.

That would definitely be a secure way of accessing the mSD cards. However, I believe there are many others that would like to be able to access the mSD cards via their network from a device other than their smart phone where the app runs.

Is this a good debate of the issue so far? The poles well expressed and offsetting?

I tried to access one of my cameras running RTSP and couldn’t access anything. It is just pointing your web browser to the IP of the camera, right? No special port number, just 80?

This update unfortunately does not apply to earlier versions of the cameras which are no longer supported. Looks like I will be shopping elsewhere.

Now even The Verge is getting in on the scare mongering. Again no mention that it was barely a threat to anyone.

How do these “technology” web sites consistently fail to report on technology? It’s pathetic.

Was Wyze careless and improperly secretive about this? Yep. Is the reporting realistic? No way.

Wyze won’t survive.

The Verge: Wyze knew hackers could remotely access your camera for three years and said nothing.

[Mod Note]: Your post was was flagged as Off-Topic and merged to this topic for consistency in grouping similar posts. Please avoid diverting a topic by changing it midstream

Here is another article about it:

Both of these fine companies are vendors of mine. So what do I do? Since I don’t have a V1 cam I don’t have to throw anything out. But “don’t have to” and “want to” are 2 different things. I want to kick them both to the curb. And I will as soon as I find a decent replacement for them both,
Dang it, why do companies do such bad things? Simply because they can? I think Wyze should look back to that bankruptcy that they narrowly avoided. But not until we can all replace our cams with better ones! But which companies aren’t EVIL any more? None that I can think of. So I’ll have to take the best of the worst I guess. I wish you all a spot of good luck and plz post to Twitter when you throw away/destroy/smash/burn your Wyze Cams. Maybe a hashtag of #F***Wyze without the asterisks. I think thats’ what I will use. Not soon enuf I’m afraid tho.

Rate the threat:

** THEY DID NOT UPDATE OR PATCH v1 WYZECAMS SO THEY ARE ALL STILL VULNERABLE**

The least Wyze should do is:

Apologize.
Refund the purchase price or buy back all Wyzecam v1’s or send out a WyzeCam 2 to all WyzeCam 1 owners for every unit they own WITHOUT asking people that own such high risk cams to OPT IN. They knew about this vulnerability for 3 years?!
Apologize.

I find it totally reprehensible that a company selling a security product knew for over 3 years that the WyzeCams have a vulnerability in its home security that could have let hackers look into your home over the internet. That hackers can could access your camera’s SD card from over the internet, steal the encryption key, and start watching and downloading your video feeds?!

They knew about this for over 3 years?! And finally patched this inexcusable HUGE security flaw this January? And only for all WyzeCams but the WyzeCam v1 which are still vulnerable?

We can never trust Wyze again.

I reached out to them via email and this is their response which wasn’t a response at all.

Thank you for reaching out and for your questions.

At Wyze, we put immense value in our users’ trust in us, and take all security concerns seriously.
We are constantly evaluating the security of our systems and take appropriate measures to protect our customers’ privacy. We appreciated the responsible disclosure provided by Bitdefender on these vulnerabilities. We worked with Bitdefender and patched the security issues in our supported products. These updates are already deployed in our latest app and firmware updates.

If you have more questions or concerns about Wyze security topics, please reach out to security@wyze.com via email.

Regards,

Marjorie | Wyze Wizard

Trust and deceit. I just read an article about the security flaw of the V1 cameras by The Verge. Wyze knew of this flaw in March 2019. I’m done with Wyze - The Verge. Where do I send these worthless camera’s.

I don’t know. There’s a lot of parts and pieces to this, much of which is not really appropriate for a public user forum of this nature. Part of the problem is when general publication “news” entities convert CVEs to English, using words like “huge” vulnerability. If the average user saw what a daily security log looked like, they’d unplug everything in their house and wear a tinfoil hat. Our work net gets hit into the 10’s of thousands of times per day. Of those, the Fortinet might notify on 2 or 3, and since those were killed along with the rest, it is just for information’s sake.

The target appears to be a no-auth port 80 server lan-side. Yeah, that’s sloppy. But an “attacker” first needs to gain access to the lan. Yeppers, it’s doable on a Wlan and you may have the wacko neighbor who’s got nothing better to do; which basically is the limit of the threat. Unless I want to put on my tinfoil hat and think that a burglar is going to go through that effort when they can usually kill power by throwing a disconnect or turn off access by cutting your cable/fiber/dsl drop. And why go through the brain drain when you can grab a jammer for pretty cheap these days.
Granted, most home nets don’t have the doberman edge protection but it’s really a low value target.

Now, I’m confused some by bitdefenders mitigation; “Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network. This can be done by setting up a dedicated SSID exclusively for IoT devices, or by moving them to the guest network if the router does not support the creation of additional SSIDs.” Huh?, that solves the issue how?

That said, Wyze response to the problem is not good. They could have (weakly) contested the CVE. But more importantly, they could have fixed it right away. Much the same as our plugs

The problem with these “huge” vulnerability CVEs is they cause panic; look at some of the responses to this. In reality, I could craft a wonderful email, phish it out to just 100 typical users and probably have access to a half dozen home networks in a matter of minutes, without leaving my chair. This camera attack assumes having the keys to the kingdom. The cams are the least of your problems…

Please explain why you are upset? I’m not defending Wyze by any means; I have my own battles with them, but I’m just curious how you’re judging the impact.

Check this article: says they were asked to fix a security hole and never did for 3 years. They are supposed to in 90 days. Can someone from wyze comment on this and what you are doing so this doesn’t happen again. I’m done with Wyze - The Verge

Well, it happens a lot more than you think and in some much more damaging circumstances. There’s no 90 day rule or anything.

But, you are 100% correct that they should address this, and more importantly address what they are doing to prevent it from happening again.

I woke up this morning to some really disconcerting news.
Wyze knew hackers could remotely access your camera for three years and said nothing - The Verge

I really don’t know whether I can trust Wyze products now. Has there been any similar issues with the v2 or v3 cameras where unauthorized attackers have been able to access live or stored video? Has Wyze every been informed of a breach to a v2 or a v3 camera? Your customers deserve to know!

There’s enough router exploits available to drive a truck into most folks home networks. From not re-setting the default password to firmware holes. This is NOT A NON ISSUE. Wyze did NOTHING and who knows what was compromised with us? I have done many things I wouldn’t want anyone else to see. Personal things that need to remain personal. It’s inconceivable that Wyze did NOTHING for months/years. They violated the basic trust we put into them. They don’t deserve any more of my money or any more of my support. My Cam Plus license is up shortly and that’s it. I’ve ordered Eufy’s (at considerable cost) and I will post the destruction of my Wyze cams on my Twitter when I get the new cams working. The hashtag will be #F***Wyze with the first word spelled out properly.
I hope to make a properly informative vid and an enjoyable one too. My phone does Slo-Mo so it could be a smashing success. Maybe I’ll even Live tweet it.
Sorry Wyze. You f-d up just one too many times.

How many people/devices were impacted by the v1 breach? How many people/devices are still vulnerable? Were those device owners explicitly notified of the breach?
Has Wyze ever been informed of a breach to a v2, v3, or other camera not mentioned in the BleepingComputer or Verge news stories?
Where is the link to Wyze’s responsible disclosure policy and breach notification policy?
Will Wyze explicitly notify us if there is another breach?