WyzeCam v3 Hacked! - SECURITY

Had a few people over for the Labor Day weekend. Long story short someone somehow got access to my WyzeCam’s in the kitchen. Set the siren off on them and started screaming through the camera.

Video in link

Unfortunately you can’t hear the individual when he’s yelling through the speaker on the WyzeCam v3… seems the sound gets muted at that point. Apologies for my buddy in the red shirt flipping off the camera, But the guy on the speaker was being very vulgar in front of my family and friends and even threatened us… as you can see I have an infant… very concerning. Also sorry for the quality of the video footage. When I trimmed the video, it must have compressed it.

In the video he sets off the siren I have in a cabinet first above the microwave, Then he set off the siren on the other v3 I have in the room. I immediately unplugged all my cameras and reset my account password along with turning on two-step authentication. I also reset my network wifi password. I’m hoping we can see if there were any breaches in my account recently or logs of unauthorized access. It’s scary to think how long this person has been spying on my family and I.

2 Likes

This is why Wyze is mandating 2FA

3 Likes

Please reach out to security@wyze.com so they can investigate this.

Great job on changing your password and enabling 2-factor authentication, this will ensure it cuts off the guy’s access. This is probably all that was needed, but I would still reach out to the security team so they can let you know of anything else they find out about this situation.

Probably change any other account that used that same password. It was likely leaked by some other website and it just happened to work for your Wyze account too.

5 Likes

I would make sure you also save all the camera logs.

2 Likes

@ws6wes
I am sorry this has happened to you, we take these kind of reports seriously. I would recommend you contact security@wyze.com with what happened and any info you have so they can look into this issue.

7 Likes

This is exactly why you need to update RTSP firmware and let people handle their security. I don’t understand why your company is against it and only provide a rudimentary RTSP firmware with no updates and basically render the camera featureless because some customers decide to not have their camera on the cloud.

1 Like

I’m in touch with a Supervisor at Wyze named Sarah. I’m hoping she can find some answers for me. Crossing fingers…

A word to all: One thing to do for certain is never reuse a user ID/password combination on important sites (finance, camera, etc). For instance, anyone who used the same user ID & password here as their yahoo ID were instantly exposed when yahoo got hacked. So be sure to stay unique on all important sites. :slight_smile:

3 Likes

Along those lines, not a super popular technique but one I use a lot, custom businessname@example.com, where example.com is your own custom domain name, and businessname changes for each account relationship. Having only one e-mail address for everything is a BIG part of the exposure problem in my opinion.

This is also doable without any custom domain just by using the “+” feature for GMail accounts (although much easier to reverse engineer).

3 Likes

The plus thing is too widely known by hackers and businesses…they will often purposely remove anything after a plus so that you can’t filter them (though I know people who take the opposite route and filter anything that doesn’t have a plus and correct appendage, so all those that try to remove it and use the root email, are the ones that get filtered :rofl:

For instance, my sister-in-law’s unfiltered email requires you to enter something like "[her.name]+real@[domain_dot_com]…and if you don’t put “+real” (or whatever it is on there, then it gets filtered as spam because all the spammers remove the plusses now.


But your idea if you have your own domain is freaking brilliant! At least assuming you can basically use unlimited email addresses by having anything not explicitly set up to be automatically routed to the same primary email that is setup (I think some do that).

@Customer this is one of the most brilliant security (and spam) solutions I have actually seen in a long time, seriously! I truly appreciate you sharing the idea. It honestly might be worth the low cost yearly fees to pay for a domain just to be able to do this even if no website is ever actually used. Genius improvement toward leaks and cross-site credential stuffing…almost makes the email address a true second password on every site that is never duplicated.

Personally I wouldn’t use the name of the company, as that would be too obvious and easy to catch onto (why else would someone have an email as “facebook@example.com” if it wasn’t their facebook login?..and then if there was a second leak of “instagram@example.com” then anyone seeing those could quickly put 1 and 1 together), but someone could do something related to the name of the company that is less obvious, but uses certain letters from the name (maybe first and last letter of the business name plus the next letters up from them so Wyze would be we plus the next letter up from is x and the next letter up from e is f, so you could do something like “wexf@example.com” which would make no sense to anyone but you, but would be easy to do for any login and easy to remember. That’s just an example, any pattern/algorythm that is easy to remember would work, maybe letter First-Last-second-Second_to_last…something like that. Whatever works I guess. Anyway, just thinking out loud. Seriously an awesome idea though. I might have to do some tests and change all my emails this way at some point :rofl: but they’d still all route to my main email and I’d always know where any leak or spam-leak (selling my info) came from and be able to instantly filter or cut it off. Seriously brilliant security and life hack.

I do have my own domain through Bluehost, but I don’t really use the email stuff. What do you use for your email service, etc? I just loaded mine and it looks like it either defaulted to or I somehow chose “horde” --whatever that is. Any suggestions from your experience before I start looking into doing this on a wider scale?

1 Like

I’ve received 3 cease and desist letters for doing that. :grin:

3 Likes

Oops! I mispelled there anyway, I meant to say “personally I WOULDN’T use the name of the company” :rofl:

Yeah, I agree with you, that makes sense for another reason to do something different from the company name.

2 Likes

Thanks, but of course it’s not new and very likely not mine. I first started doing this many years ago, not for account security but as a spam deterrent device. The idea was that once I started receiving spam to a unique address I’d know exactly who sold me out. It’s only happened a small handful of times - Sunrocket was one. I can then filter them out of existence.

You may or may not be overthinking this. When I started doing this I too would hand out unique alphanumeric addresses to everyone, even including friends and family. I eventually realized that all I had accomplished was to burden myself with decoding then AND having to change my From field whenever I replied, which quickly led to corruption in that I would sometimes accidentally respond from my “main” address. And nobody else really cared. It made little to no sense for friends and family and legitimate business.

So I moved on and just do it for most business relationships (aside from personal ones and employment and such).

Two thoughts on this. First, I don’t really use just the company name. I have a very small bit of a rudimentary “salt” at the beginning that is intended to let me easily filter address names I have given out versus ones that are randomly sprayed at by spammers. Second, I don’t think evildoers are generally that smart or making that much of a concerted human effort. While yes, bestbuy@example.com and joestoyhut@example.com and microsoft@example.com could be correlated by a person, in reality what is happening is giant chunks of thousands of compromised credentials (often resold) are being hammered at by malicious programs / bots and bottom rung criminals at other sites. The low hanging fruit is pretty tasty already and you just have to be a little faster than the other campers, not the bear. Call it a measure of security through obscurity if you like.

First I’m a little surprised you only have the one domain, since you mentioned several businesses. But anyway, e-mail can be a royal pain, and I gave up hosting my own mail server a ways back. I just use my registrar’s mail forwarding feature to direct mail to my (sigh) GMail box these days. I do a few specific forwarders but I also still have a catchall rule to forward everything.

The latter is a bit dangerous of course, but I’ve found that GMail really does pick out almost all the normal spam and address spraying. In combination with the pseudo-salting, this gives me a good way to deal with spam and good-turned-bad actors.

I’ve found that a standard IMAP client (I use Thunderbird or SeaMonkey) allows quick changing of the From field on the rare occasion you need to reply as the alias. This is a little different when you host your own mail, but GMail is pretty amenable - however, do note that they ALWAYS send your “real” GMail address in an often-visible header; all recipients can see the real mailbox name. (This is all with a free consumer class GMail box, not Google domain hosting / Workspace.)

Lastly, I originally painstakingly craft individual addresses and added each to a forwarder setting at the registrar. But (1) there is often a limit on forwarders, (2) it’s a pain to plan and manage, and (3) it’s inflexible. So I just keep catchall enabled. This lets me hand out new addresses on the fly that are unique to the party I’m dealing with. I’ve done this for things like car rental agencies and leisure activities and semi-suspect web sites. (For truly suspect stuff I just use a Mailinator address, which is a similar concept.)

In short, it’s pretty easy and simple. Have fun!

1 Like

Great points and suggestions. Thank you for taking the time. I love this. I’ve bookmarked this response for later in-depth consideration.

  • Well…I have one GENERAL domain that I would use for something like this or to PLAY with. I often use it for making my own short codes rerouting, etc for personal use and for some others.
  • The 3 franchises we own have their websites go through something arranged by corporate and it would be inappropriate to use those this way.
  • The real-estate businesses do not need a website. We basically have another company do all the managing, etc for us (sometimes the HOA even handles it as part of the agreement), or in a couple of cases, just have tenants do payments through already established methods (Paypal, by mail, and other such things where we don’t need our own website…though we mostly sold those properties in favor of ones that we can have someone else manage instead).
  • Another one I do have a sub-domain for the business and app/platform it is based on, but I am not exclusively in control of the email addresses, and non-assigned emails would not come to me.
  • And my other business (an S-CORP) is primarily [though not exclusively] bookkeeping related, and I have more than enough clients and get them easily. I would not have more than a few clients at a time (some have tried to refer me more business, and I turn them down). I have no need for a website in this case.

Anyway…the point is that I only really have one “play with” personal domain that I am fully in control of without needing other considerations or potentially interfering with business…I got the one I have mostly to learn and play around with WordPress…I almost got rid of it, but some colleagues of mine desperately love some of my shortlinks and a few embedded spreadsheets and information I organized for them on it…so I’ve kept it since they love the references I made for them. Though I think Bluehost basically told me I can get as many other domains as I want for as little as like $5/yr now, so maybe I will get more in the future. I might get one exclusively for this project, something with a shorter name. We’ll see. :man_shrugging:

Regardless, thanks, I love your response. I can now feel like my play domain has a real useful use for me again. :slight_smile:

2 Likes