Wyze cam video encryption

andrew.king87 · October 14, 2020, 2:37am

Are the wyze cam video clips that are stored in AWS encrypted at rest or just in transit?
Is there a SOC report that we can read?

kenner · October 14, 2020, 4:45am

Thanks for posting and welcome to the forums, @andrew.king87!

I think this article would answer your question: https://support.wyzecam.com/hc/en-us/articles/360032397992-Security-Privacy-

Security & Privacy
Avatar Isaac
1 year ago
Here at Wyze, we take your security and privacy to heart and want to make sure you feel comfortable using our products. To that end, we’ve taken great measures to ensure your data is safe as it gets transferred from the Wyze Cam to your Wyze app.

How do you make sure my personal data and video stream are secure?
We take our customers’ data safety very seriously. The communication requests between your mobile device, your Wyze product, and the AWS Cloud Server are made via https (Transport Layer Security (TLS)) for alert videos. We use symmetric and asymmetric encryption, consistent hashing, and other ways to make sure users’ information cannot be stolen. Each camera has its own secret key and certificate so that we can validate its identity during handshake. The contents are encrypted via AES 128-bit encryption to protect the security of the live stream and playback data. During the connection process, every device in the process has its own secret key and certification, so that we can validate their identity during handshake. Even if a hacker intercepts the data package, the data cannot be decrypted.

Have you updated Wyze products to protect against the KRACK vulnerability?
Starting with Wyze Cam v2 Firmware 4.9.4.108 and Wyze Cam Pan Firmware 4.10.3.108, our firmware contains a fix that mitigates the KRACK vulnerability. Please note that this fix only covers Wyze Cam v2 and Wyze Cam Pan; Wyze Cam v1’s are still vulnerable.

Let us know if you have more questions!

/ken

andrew.king87 · October 14, 2020, 12:21pm

Thanks but no…that doesn’t answer my question.
It mentions there is encryption via transport and live stream via TLS, which is expected. It doesn’t mention anything about the data at rest, aka when the files are stored on the servers.
This leads me to believe that when the video files stored on the servers are unencrypted, which means anyone with access can play the video files. So although your basic encryption is applied when in transport or streaming, preventing someone from intercepting them, the files themselves can be VIEWED by ANYONE who manages to have or gain access. Is this assumption wrong?