Skip to main content

I’m done with Wyze

Image: Wyze

I just threw my Wyze home security cameras in the trash. I’m done with this company.

I just learned that for the past three years, Wyze has been fully aware of a vulnerability in its home security cameras that could have let hackers look into your home over the internet — but chose to sweep it under the rug. And the security firm that found the vulnerability largely let them do it.

Instead of patching it, instead of recalling it, instead of just, you know, saying something so I could stop pointing these cameras at my kids, Wyze simply decided to discontinue the WyzeCam v1 this January without a full explanation. But on Tuesday, security research firm Bitdefender finally shed light on why Wyze stopped selling it: because someone could access your camera’s SD card from over the internet, steal the encryption key, and start watching and downloading its video feed.

Nowhere is Wyze saying anything like that to customers like me. Not when it discontinued the camera, not in the three years since Bitdefender brought it to Wyze’s attention in March 2019, and possibly not ever: Wyze spokesperson Kyle Christensen told me that as far as the company is concerned, it’s already been transparent with its customers and has “fully corrected the issue”. But Wyze only corrected it for newer versions of the WyzeCam, and even then it only finished patching the v2 and v3 on January 29th, 2022, according to BleepingComputer.

As far as being transparent, the most I’ve seen Wyze tell customers was that “your continued use of the WyzeCam after February 1, 2022 carries increased risk, is discouraged by Wyze, and is entirely at your own risk.” It also sometimes sends vague emailed messages like this to its customers, which I used to appreciate but am now retroactively questioning:

 Screenshot by Sean Hollister / The Verge
From a January 6th email titled “Terms of Service and Security Updates”

When I read those words about “increased risk” in our Verge post regarding the WyzeCam v1’s discontinuation, I remember thinking it just referred to future security updates — not a major vulnerability that already exists.


Here’s another question, though: Why on earth would Bitdefender not disclose this for three whole years, when it could have forced Wyze’s hand?

According to the security research firm’s own disclosure timeline (PDF), it reached out to Wyze in March 2019 and didn’t even get a response until November 2020, a year and eight months later. Yet Bitdefender chose to keep quiet until just yesterday.

In case you’re wondering, no, that is not normal in the security community. While experts tell me that the concept of a “responsible disclosure timeline” is a little outdated and heavily depends on the situation, we’re generally measuring in days, not years. “The majority of researchers have policies where if they make a good faith effort to reach a vendor and don’t get a response, that they publicly disclose in 30 days,” Alex Stamos, director of the Stanford Internet Observatory and former chief security officer at Facebook, tells me.

“Even the US government has a 45-day default disclosure deadline to prevent vendors from burying bug reports and never fixing them,” writes Katie Moussouris, founder and CEO of Luta Security and co-author of the international ISO standards for vulnerability disclosure and vulnerability handling processes.

I asked Bitdefender about this, and PR director Steve Fiore had an explanation, but it doesn’t sit well with me. Here it is in full:

Our findings were so serious, our decision, regardless of our usual 90-day-with-grace-period-extensions-policy, was that publishing this report without Wyze’s acknowledgement and mitigation was going to expose potentially millions of customers with unknown implications. Especially since the vendor didn’t have a known (to us) a security process / framework in place. Wyze actually implemented one last year as a result of our findings (https://www.wyze.com/pages/security-report).

We have delayed publishing reports (iBaby Monitor M6S cameras) for longer periods for the same reason before. The impact of making the findings public, coupled with our lack of information on the capability of the vendor to address the fallout, dictated our waiting.

We understand that this is not necessarily a common practice with other researchers, but disclosing the findings before having the vendor provide patches would have put a lot people at risk. So when Wyze did eventually communicate and provided us with credible information on their capability to address the issues reported, we decided to allow them time and granted extensions.

Waiting sometimes makes sense. Both of the experts I spoke to, Moussouris and Stamos, independently brought up the infamous Meltdown computer CPU vulnerabilities as an example of where balancing security and disclosure was difficult — because of how many people were affected, how deeply embedded the computers might be, and how difficult they are to fix.

But a $20 consumer smart home camera just sitting on my shelf? If Bitdefender put out a press release two years ago that Wyze had a flaw it’s not fixing, it’s damn easy to stop using that camera, not buy any more of them, and pick a different one instead. “There’s an easy mitigation strategy for affected customers,” Stamos says.

The iBaby Monitor example that Bitdefender brings up is a little ironic too — because there, Bitdefender actually did force a company to action. When Bitdefender and PCMag revealed that the baby monitor company hadn’t patched its security hole, the resulting bad publicity pushed them to fix it just three days later.

Days, not years.

 Photo by Sean Hollister / The Verge
Not joking.

Now if you’ll excuse me, I need to go say goodbye to those Wyze earbuds I liked, because I’m serious about being done with Wyze. I was willing to write off the company’s disastrous leak of 2.4 million customers’ data as a mistake, but it doesn’t look like the company made one here. If these flaws were bad enough to discontinue the camera in 2022, customers deserved to know that back in 2019.



Source: The Verge

Popular posts from this blog

Review: The Teracube 2e is a more sustainable phone that you can afford

It just got easier to be green. If you know me or read my work here at AC, you know that I feel strongly about a few things when it comes to smartphones and consumer tech, and those things are not necessarily what some of my colleagues or others in the tech-sphere care about. You can have your 10x optical zoom cameras, folding phones, and 50W wireless charging devices all day, but I'm more interested in affordable to mid-range devices that last longer than you'd expect and which are at least trying to do environmental and social good. Sounds great, but it seems that it's harder to find this combination of features in a phone than the ultra-premium specced-out devices we typically talk about here on this website. That's why I was excited when I had the chance to write this Teracube 2e review. Teracube is a relatively new smartphone OEM based out of Redmond, WA, and founder Sharad Mittal's stated goal is to change the "disposable nature of the consumer ele

Google's new Guest Mode is like incognito mode for Google Assistant

Your interactions with Google Assistant will not be saved when Guest Mode is turned on. What you need to know Google Assistant is getting a new Guest Mode for privacy-conscious users. When it's turned on, the virtual assistant will not save any of its interactions with you. Turning it on and off is as simple as a single voice command. Google this week announced a new Guest Mode for its virtual assistant that's designed with privacy-conscious folks in mind. A simple "Hey Google, turn on Guest Mode" will ensure that none of your interactions with Google Assistant are collected by the company and nor will they be used to 'personalize your experience' — often an indirect way of referring to targeted ads. When it's on, the Assistant will play a special chime to let you know. Smart displays with Assistant will also show a guest icon on the screen. And you can always check for yourself by saying, "Hey Google, is Guest Mode on?" Even with G

Spotify Q1 beats on sales of $2B with monthly active users up 31% to 286M

The coronavirus may be decimating some corners of the economy, but the impact on the digital music, as evidenced by the world’s biggest music streaming company, appears to be minimal. Today Spotify reported its earnings for Q1 with revenues of €1.848 billion ($2 billion at today’s rates) and an inching into a positive net income of $1 million. Monthly active users (not total subscribers) now stand at 286 million, with paid (premium) users at 130 million and ad-supported monthly active users at 163 million. Ad-supported users are growing at a slightly higher rate at the moment, at 32% versus 31%, Spotify said. Spotify beat  analysts’ forecasts on both sales — they had on average been expecting revenues of $1.86 billion — and EPS, which had been forecast to be -$0.49 but came in at -$0.20 on a diluted basis and $0.00 undiluted. The numbers underscore the positive signals we’ve had from the wider industry. More generally, we have seen a huge boost in streaming media services — includ

Adobe is giving students and teachers free access to Creative Cloud

Your university's IT admin will need to make an application for access. What you need to know Adobe is temporarily making Creative Cloud free for teachers and students. The offer is aimed at enabling them to continue being productive as they work and study from home. Students cannot individually avail the promo, however, as the application for access needs to be made by a university's IT admin. As universities around the world shut their campuses and organizations ask their employees to work from home, many tech companies are making their products available to educational institutes free for use. Google and Microsoft have both made their large-scale communication and videoconferencing tools free for everyone, and now Adobe is temporarily giving free Creative Cloud access to students and teachers. The subscription, which usually costs $79.49 per month, will give affected students and teachers access to the entire range of Adobe's applications, such as Photoshop