Well said! As you say it could have, should have, been handled with their highly hyped customer focus as the priority. Apparently I was swayed by the hype and the risk is fairly limited. However, it should always be the customers decision on how to handle their risk.
2 Likes
Personally, Iād never port forward on a home network using cable/telco hardware. Those magic boxes may not have much security on a port forward. It leaves you open to a kiddie-hacker fest finding an open port. The cams arenāt āexploitableā in any true sense of the word. Itās a pretty useless target and Iām imagining that hackers are looking for a misconfigured router with 80 open on the WAN side or somebody running a web server on their home net. Lot more fun to be had there.
There are a lot more secure ways to connect to a cam or any iot interface if you really need to do that. Or just pass through your cable/telco box and put an endpoint in place that is designed to secure inbound traffic.
As @speadie said, itās doable but you have way more things to think about than someone looking at more than likely boring cams. Most people probably have carrier, or carrier compatible hardware that has push updates and is not readily accessible from the wan side unless you are the carrier.
Butā¦but. isnāt this just what the legitimate users have been asking for? A way to access the SD card without having to crawl out on the ledge to retrieve the SD card and manage the files.
Iād certainly like to know how this is done.
Those are my same thoughts as I mentioned above:
Nobody from outside the home WiFi could access anything anyway, so yes, as you stated, it is almost exactly what many of us have been asking for them to do on purpose years.
2 Likes
My impression:
This has the tone, hyperbole, and content of a āhit pieceā. The kind of slanted report funded by a competitor (usually via a third-party business that specializes in muckraking).
1 Like
Yep, and people see what they want to see, hear what they want to hear. Anyone looking for a reason to be mad at wyze, or afraid of hax0rs will easily find or create it here.
True enough. Cognitive bias is a thing. It also could be the reason why there seems to be a tendency to intensely focus attention on the straw man of risk level instead of the actual unresolved matter of timely and effective disclosure.
The question remains whether adequate measures have been taken to notify all owners of cam v2 and v3 of the specific need to update their firmware due to security concerns in the context of a known vulnerability explained in enough detail to be instructive to those who might not be aware of best practices and to provide the specific reasons why the v1 will remain vulnerable. A vague statement of āuse at your own riskā and EoL falls short when a fuller explanation would serve to help the cam owners understand why they are being given that advice and how it benefits them to follow it rather than assume itās a crass move to churn inventory.
2 Likes
Hear hear. That is the only indisputably bad step the company took, among several questionable ones.
1 Like
You can read the Bitdefender research paper linked in the following reference. It goes into some detail on how itās done. You will need a cam v1 as those have not and will not receive the firmware update that prevents exploitation of the vulnerability.
https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-wyze-cam-iot-device/
Arenāt you happy that you now have your wish to have a way to remotely access your camās sd card files (at least on v1s)? Since there are lots of people saying they will be getting rid of their v1s, seems like you could scoop up as many v1s as you can get your hands on at minimal expense as a win/win for everyone including keeping all that plastic out of landfills.
1 Like
Has anyone received a direct response from Wyze about whether they have been notified of a similar hack for the v2, v3, or any other camera? I have asked Wyze multiple times, and I have not received a reply. This thread is also lacking in participation from the usual Wyze crew.
F*#&K wyze! All the woeful products I own and bought from them are already in the trash!
2 Likes
Just to be thorough in case anyone reading is new to this conversation: According to its timeline concerning the vulnerability, Bitdefenderās white paper states that Wyze released the firmware update fix on January 29, 2022 for v2 & v3 cams, three years after being made aware of the vulnerability by Bitdefender.
Wyze mentioned that they were unable to provide a firmware update for v1 due to its incapacity to store the needed update, Wyze, advised that v1 is no longer supported and has warned customers to continue to āuse at your own riskā with no or at least woefully inadequate details provided regarding the specific reason allowing customers to dismiss those vague statements as a crass move designed to sell replacements rather that provide enough info to educate and protect their customers.
HOWEVER, outside of this forum, Iām not aware of any explicit notice sent to cam owners and would like to see that occur as an exercise of basic corporate responsibility. And even within this forum, Wyzeās statements have not been explicit enough IMO and has sought instead to focus on minimizing peopleās concerns as exaggerated and excusing its lapse in a way that sounds a lot like, āif anyone got hacked, they were doing something to deserve itā, to paraphrase my perception of their statements.
Since the vulnerability has been published by Bitdefender recently, the blueprint for how to take advantage of the vulnerability is publicly available and itās incumbent on Wyze to actively reach out to customers to explain why they should be cautious in continuing to use v1 especially considering many customers in this low end of the market may predictably have entry level technical skills and be unaware of how or why they may continue to be at risk.
1 Like
Just a bump for this response too, to round out the conversation a bit.
/me ducks
This whole issue is Wyzeās āKeep my wifeās name out of your ***** mouthā moment.
MOD NOTE: Post edited to conform to the Community Guidelines.
1 Like
. Wait. Which side is Smith in this scenario?
2 Likes
Call me Daniel Radcliffe on the subject.
1 Like
