Skip to main content

I’m done with Wyze

Image: Wyze

I just threw my Wyze home security cameras in the trash. I’m done with this company.

I just learned that for the past three years, Wyze has been fully aware of a vulnerability in its home security cameras that could have let hackers look into your home over the internet — but chose to sweep it under the rug. And the security firm that found the vulnerability largely let them do it.

Instead of patching it, instead of recalling it, instead of just, you know, saying something so I could stop pointing these cameras at my kids, Wyze simply decided to discontinue the WyzeCam v1 this January without a full explanation. But on Tuesday, security research firm Bitdefender finally shed light on why Wyze stopped selling it: because someone could access your camera’s SD card from over the internet, steal the encryption key, and start watching and downloading its video feed.

Nowhere is Wyze saying anything like that to customers like me. Not when it discontinued the camera, not in the three years since Bitdefender brought it to Wyze’s attention in March 2019, and possibly not ever: Wyze spokesperson Kyle Christensen told me that as far as the company is concerned, it’s already been transparent with its customers and has “fully corrected the issue”. But Wyze only corrected it for newer versions of the WyzeCam, and even then it only finished patching the v2 and v3 on January 29th, 2022, according to BleepingComputer.

As far as being transparent, the most I’ve seen Wyze tell customers was that “your continued use of the WyzeCam after February 1, 2022 carries increased risk, is discouraged by Wyze, and is entirely at your own risk.” It also sometimes sends vague emailed messages like this to its customers, which I used to appreciate but am now retroactively questioning:

 Screenshot by Sean Hollister / The Verge
From a January 6th email titled “Terms of Service and Security Updates”

When I read those words about “increased risk” in our Verge post regarding the WyzeCam v1’s discontinuation, I remember thinking it just referred to future security updates — not a major vulnerability that already exists.


Here’s another question, though: Why on earth would Bitdefender not disclose this for three whole years, when it could have forced Wyze’s hand?

According to the security research firm’s own disclosure timeline (PDF), it reached out to Wyze in March 2019 and didn’t even get a response until November 2020, a year and eight months later. Yet Bitdefender chose to keep quiet until just yesterday.

In case you’re wondering, no, that is not normal in the security community. While experts tell me that the concept of a “responsible disclosure timeline” is a little outdated and heavily depends on the situation, we’re generally measuring in days, not years. “The majority of researchers have policies where if they make a good faith effort to reach a vendor and don’t get a response, that they publicly disclose in 30 days,” Alex Stamos, director of the Stanford Internet Observatory and former chief security officer at Facebook, tells me.

“Even the US government has a 45-day default disclosure deadline to prevent vendors from burying bug reports and never fixing them,” writes Katie Moussouris, founder and CEO of Luta Security and co-author of the international ISO standards for vulnerability disclosure and vulnerability handling processes.

I asked Bitdefender about this, and PR director Steve Fiore had an explanation, but it doesn’t sit well with me. Here it is in full:

Our findings were so serious, our decision, regardless of our usual 90-day-with-grace-period-extensions-policy, was that publishing this report without Wyze’s acknowledgement and mitigation was going to expose potentially millions of customers with unknown implications. Especially since the vendor didn’t have a known (to us) a security process / framework in place. Wyze actually implemented one last year as a result of our findings (https://www.wyze.com/pages/security-report).

We have delayed publishing reports (iBaby Monitor M6S cameras) for longer periods for the same reason before. The impact of making the findings public, coupled with our lack of information on the capability of the vendor to address the fallout, dictated our waiting.

We understand that this is not necessarily a common practice with other researchers, but disclosing the findings before having the vendor provide patches would have put a lot people at risk. So when Wyze did eventually communicate and provided us with credible information on their capability to address the issues reported, we decided to allow them time and granted extensions.

Waiting sometimes makes sense. Both of the experts I spoke to, Moussouris and Stamos, independently brought up the infamous Meltdown computer CPU vulnerabilities as an example of where balancing security and disclosure was difficult — because of how many people were affected, how deeply embedded the computers might be, and how difficult they are to fix.

But a $20 consumer smart home camera just sitting on my shelf? If Bitdefender put out a press release two years ago that Wyze had a flaw it’s not fixing, it’s damn easy to stop using that camera, not buy any more of them, and pick a different one instead. “There’s an easy mitigation strategy for affected customers,” Stamos says.

The iBaby Monitor example that Bitdefender brings up is a little ironic too — because there, Bitdefender actually did force a company to action. When Bitdefender and PCMag revealed that the baby monitor company hadn’t patched its security hole, the resulting bad publicity pushed them to fix it just three days later.

Days, not years.

 Photo by Sean Hollister / The Verge
Not joking.

Now if you’ll excuse me, I need to go say goodbye to those Wyze earbuds I liked, because I’m serious about being done with Wyze. I was willing to write off the company’s disastrous leak of 2.4 million customers’ data as a mistake, but it doesn’t look like the company made one here. If these flaws were bad enough to discontinue the camera in 2022, customers deserved to know that back in 2019.



Source: The Verge

Popular posts from this blog

FCC approves broadband 'nutrition labels' to help you shop for internet

The FCC is pushing nutrition labels for internet providers. What you need to know The FCC has voted to move forward with new rules for ISPs to display nutrition labels. The proposed rulemaking would mandate ISPs to display relevant speed and pricing information to consumers. This should make it easier for consumers to make an informed decision on their broadband. The FCC voted unanimously on a plan that would allow consumers to make better decisions about their broadband internet. The proposal will require internet service providers (ISPs) - including many of the best wireless carriers in the U.S. — to display "nutrition labels" that display relevant service information for consumers at point-of-sale. This includes internet speeds, allowances, and clear information on rates. "If you walk into any grocery store and pull boxes of cereal from the shelves, you can easily compare calories and carbohydrates," FCC Chair Jessica Rosenworcel said in a statemen

Yandex spins out self-driving car unit from its Uber JV, invests $150M into newco

Self-driving cars are still many years away from becoming a ubiquitous reality, but today one of the bigger efforts to build and develop them is taking a significant step out as part of its strategy to be at the forefront for when they do. Yandex — the publicly-traded Russian tech giant that started as a search engine but has expanded into a number of other, related areas (similar to US counterpart Google) — today announced that it is spinning out its self-driving car unit from MLU BV — a ride-hailing and food delivery joint venture it operates in partnership with Uber. The move comes amid reports that Yandex and Uber were eyeing up an IPO for MLU  last year. At the time, the JV was estimated to be valued at around $7.7 billion. It’s not clear how those plans will have been impacted in recent months, with COVID-19 putting huge pressure on ride-hailing and food-delivery businesses globally, and IPOs generally down compared to a year ago. In that context, spinning out the unit could

Slack’s new integration deal with AWS could also be about tweaking Microsoft

Slack and Amazon announced a big integration late yesterday afternoon. As part of the deal, Slack will use Amazon Chime for its call feature, while reiterating its commitment to use AWS as its preferred cloud provider to run its infrastructure. At the same time, AWS has agreed to use Slack for internal communications. Make no mistake, this is a big deal as the SaaS communications tool increases its ties with AWS, but this agreement could also be about slighting Microsoft and its rival Teams product by making a deal with a cloud rival. In the past Slack CEO Stewart Butterfield has had choice words for Microsoft saying the Redmond technology giant sees his company as an “existential threat.” Whether that’s true or not — Teams is but one piece of a huge technology company — it’s impossible not to look at the deal in this context. Aligning more deeply with AWS sends a message to Microsoft, whose Azure infrastructure services compete with AWS. Butterfield didn’t say that of course

Xbox One S vs. Xbox One X: Which should you buy?

http://bit.ly/2v1agl5 We live and breathe tech, and also gaming, with every member of Windows Central rocking either an Xbox One console or PC gaming rig. We've compared and contrasted every iteration of Xbox One to bring you this guide. Xbox One X Raw 4K power From $299 at Amazon Pros Has thousands of games 4K media apps, Blu-ray discs, and games IR blaster for TV controls, Amazon Echo for voice controls Improved HDD speeds for faster loading times Cons More expensive at around $500 RRP Requires a 4K TV to get the most out of it The Xbox One X is the world's most powerful games console, running the latest games with the crispest, detailed visuals on TV sets with 4K HDR support. Xbox One S More affordable From $226 at Amazon Pros Has thousands of games 4K media apps and Blu-ray IR blaster for TV controls, Amazon Echo for voice controls More affordable at around $300 RRP Cons No 4K games Games run worse, even on a 1080p TV The Xbox One S i