Skip to main content

I’m done with Wyze

Image: Wyze

I just threw my Wyze home security cameras in the trash. I’m done with this company.

I just learned that for the past three years, Wyze has been fully aware of a vulnerability in its home security cameras that could have let hackers look into your home over the internet — but chose to sweep it under the rug. And the security firm that found the vulnerability largely let them do it.

Instead of patching it, instead of recalling it, instead of just, you know, saying something so I could stop pointing these cameras at my kids, Wyze simply decided to discontinue the WyzeCam v1 this January without a full explanation. But on Tuesday, security research firm Bitdefender finally shed light on why Wyze stopped selling it: because someone could access your camera’s SD card from over the internet, steal the encryption key, and start watching and downloading its video feed.

Nowhere is Wyze saying anything like that to customers like me. Not when it discontinued the camera, not in the three years since Bitdefender brought it to Wyze’s attention in March 2019, and possibly not ever: Wyze spokesperson Kyle Christensen told me that as far as the company is concerned, it’s already been transparent with its customers and has “fully corrected the issue”. But Wyze only corrected it for newer versions of the WyzeCam, and even then it only finished patching the v2 and v3 on January 29th, 2022, according to BleepingComputer.

As far as being transparent, the most I’ve seen Wyze tell customers was that “your continued use of the WyzeCam after February 1, 2022 carries increased risk, is discouraged by Wyze, and is entirely at your own risk.” It also sometimes sends vague emailed messages like this to its customers, which I used to appreciate but am now retroactively questioning:

 Screenshot by Sean Hollister / The Verge
From a January 6th email titled “Terms of Service and Security Updates”

When I read those words about “increased risk” in our Verge post regarding the WyzeCam v1’s discontinuation, I remember thinking it just referred to future security updates — not a major vulnerability that already exists.


Here’s another question, though: Why on earth would Bitdefender not disclose this for three whole years, when it could have forced Wyze’s hand?

According to the security research firm’s own disclosure timeline (PDF), it reached out to Wyze in March 2019 and didn’t even get a response until November 2020, a year and eight months later. Yet Bitdefender chose to keep quiet until just yesterday.

In case you’re wondering, no, that is not normal in the security community. While experts tell me that the concept of a “responsible disclosure timeline” is a little outdated and heavily depends on the situation, we’re generally measuring in days, not years. “The majority of researchers have policies where if they make a good faith effort to reach a vendor and don’t get a response, that they publicly disclose in 30 days,” Alex Stamos, director of the Stanford Internet Observatory and former chief security officer at Facebook, tells me.

“Even the US government has a 45-day default disclosure deadline to prevent vendors from burying bug reports and never fixing them,” writes Katie Moussouris, founder and CEO of Luta Security and co-author of the international ISO standards for vulnerability disclosure and vulnerability handling processes.

I asked Bitdefender about this, and PR director Steve Fiore had an explanation, but it doesn’t sit well with me. Here it is in full:

Our findings were so serious, our decision, regardless of our usual 90-day-with-grace-period-extensions-policy, was that publishing this report without Wyze’s acknowledgement and mitigation was going to expose potentially millions of customers with unknown implications. Especially since the vendor didn’t have a known (to us) a security process / framework in place. Wyze actually implemented one last year as a result of our findings (https://www.wyze.com/pages/security-report).

We have delayed publishing reports (iBaby Monitor M6S cameras) for longer periods for the same reason before. The impact of making the findings public, coupled with our lack of information on the capability of the vendor to address the fallout, dictated our waiting.

We understand that this is not necessarily a common practice with other researchers, but disclosing the findings before having the vendor provide patches would have put a lot people at risk. So when Wyze did eventually communicate and provided us with credible information on their capability to address the issues reported, we decided to allow them time and granted extensions.

Waiting sometimes makes sense. Both of the experts I spoke to, Moussouris and Stamos, independently brought up the infamous Meltdown computer CPU vulnerabilities as an example of where balancing security and disclosure was difficult — because of how many people were affected, how deeply embedded the computers might be, and how difficult they are to fix.

But a $20 consumer smart home camera just sitting on my shelf? If Bitdefender put out a press release two years ago that Wyze had a flaw it’s not fixing, it’s damn easy to stop using that camera, not buy any more of them, and pick a different one instead. “There’s an easy mitigation strategy for affected customers,” Stamos says.

The iBaby Monitor example that Bitdefender brings up is a little ironic too — because there, Bitdefender actually did force a company to action. When Bitdefender and PCMag revealed that the baby monitor company hadn’t patched its security hole, the resulting bad publicity pushed them to fix it just three days later.

Days, not years.

 Photo by Sean Hollister / The Verge
Not joking.

Now if you’ll excuse me, I need to go say goodbye to those Wyze earbuds I liked, because I’m serious about being done with Wyze. I was willing to write off the company’s disastrous leak of 2.4 million customers’ data as a mistake, but it doesn’t look like the company made one here. If these flaws were bad enough to discontinue the camera in 2022, customers deserved to know that back in 2019.



Source: The Verge

Popular posts from this blog

The hidden cost of food delivery

Noah Lichtenstein Contributor Share on Twitter Noah Lichtenstein is the founder and managing partner of Crossover , a diversified private technology fund backed by institutional investors, technology execs and professional athletes and entertainers. More posts by this contributor What Studying Students Teaches Us About Great Apps I’ll admit it: When it comes to food, I’m lazy. There are dozens of great dining options within a few blocks of my home, yet I still end up ordering food through delivery apps four or five times per week. With the growing coronavirus pandemic closing restaurants and consumers self-isolating, it is likely we will see a spike in food delivery much like the 20% jump China reported during the peak of its crisis. With the food delivery sector rocketing toward a projected $365 billion by the end of the decade, I’m clearly not the only one turning to delivery apps even before the pandemic hit. Thanks to technology (and VC funding) we can get a ri

Technics EAH-AZ60 review: Contending in stunning fashion

Technics serves notice that everyone should notice these earbuds. Technics ventured into the wireless earbuds category to go after the big dogs in the race. Think of the likes of Sony, Bose, and Sennheiser on sound quality, as well as the best you can find on design and functionality. It's a combination that comes at a price, but if done right, it gets easier to justify spending more. That's the case Technics makes with its EAH-Z60 earbuds. Its newest pair aims to take what the company has done in the past and make it even better. The results are easy to like and are significant enough to consider them as serious contenders. Technics EAH-AZ60 review: Price and availability What's good What's not good The competition Should you buy? At a glance Technics EAH-AZ60 Bottom line: Technics didn't just do one thing right with the EAH-AZ60. It covered almost the whole gamut of what makes wireless earbuds feel and sound exceptional. As a result, the p

iOS 14 Favorites Widget: How to Make a Replacement With Shortcuts

In iOS 14 , Apple overhauled widgets and introduced an option for adding ‌widgets‌ to the Home Screen , but in the process, a well-loved Favorites widget that existed in iOS 13 was removed. The Favorites widget let users set certain contacts and contact methods as favorites that were easily accessible, so you could, for example, add a favorite option for messaging Eric or calling Dan, with those actions executed with a tap. Why the Favorites widget was removed is a mystery and it could be a simple oversight with Apple planning to reintroduce it later, but for now, those who relied on the widget can recreate its functionality with Shortcuts. It takes some effort, but it may be worth the time investment if you often relied on your Favorites. Creating a Favorites Shortcut Making a shortcut that replicates the behavior of the Favorites widget isn't too tough, but if you want multiple favorite options, you'll need to create a separate shortcut for each one in the Shortcuts

Top Stories: Apple Event Preview, iPad Pro With M4 Chip Rumor, New Beats Headphones, and More

It's been a long time since the last one, but an Apple event is finally right around the corner! While it's anticipated to be a fairly short pre-recorded affair, we're expecting to see the first updates to the iPad lineup in over a year and half, so make sure to tune in to see what Apple has in store. Other news and rumors this week included a couple of product introductions from Apple's Beats brand, a roundup of rumors about updates to Apple's stock apps coming in iOS 18, and more changes to Apple's policies in the EU related to the Digital Markets Act, so read on below for all the details! What to Expect From the May 7 Apple Event Apple's first event of 2024 kicks off on Tuesday, May 7, at 7 a.m. Pacific Time, and we've put together our usual pre-event guide outlining what we're expecting to see on Tuesday. Several new products are expected to be unveiled, including two new iPad Pro models, two new iPad Air models, an updated Apple Pencil,