I threw the cameras in the trash. I'm done with this company.
I just learned that for the past three years, Wyze has been aware of a vulnerability in its home security cameras that could have let hackers look into your home over the internet, but chose to sweep it under the rug. The security firm let them do it.
Instead of patching it, Wyze decided to stop selling the WyzeCam v1 in January without giving a full explanation. Wyze stopped selling it because someone could access your camera's card over the internet, steal the encryption key, and start watching and downloading its video feed, according to a security research firm.
Wyze doesn't say anything like that to customers like me. Not when it discontinued the camera, not in the three years since it was brought to Wyze's attention, and possibly not ever. Wyze patched the v2 and v3 on January 29th, 2022, but only corrected it for newer versions.
Wyze told customers that their continued use of the WyzeCAM after February 1, 2022, carries increased risk, is discouraged by Wyze, and is entirely at their own risk.
When I read the words "increased risk" in our post about the discontinuation of the WyzeCAM, I thought it was just a reference to future security updates.
Why would a company not reveal this for three years, when it could have forced Wyze's hand?
Why are we just hearing about this now?
The security research firm reached out to Wyze in March and didn't get a response until November 2020. Bitdefender kept quiet until yesterday.
That is not normal in the security community. The concept of a responsible disclosure timeline is a little outdated and depends on the situation, but we are generally measuring in days, not years.
Even the US government has a default disclosure deadline to prevent vendors from burying bug reports and never fixing them.
Steve Fiore, the PR director for Bitdefender, had an explanation, but it didn't sit well with me. Here is the full version.
Our findings were so serious, our decision, regardless of our usual 90-day-with-grace-period-extensions-policy, was that publishing this report without Wyze’s acknowledgement and mitigation was going to expose potentially millions of customers with unknown implications. Especially since the vendor didn’t have a known (to us) a security process / framework in place. Wyze actually implemented one last year as a result of our findings (https://www.wyze.com/pages/security-report).
We have delayed publishing reports (iBaby Monitor M6S cameras) for longer periods for the same reason before. The impact of making the findings public, coupled with our lack of information on the capability of the vendor to address the fallout, dictated our waiting.
We understand that this is not necessarily a common practice with other researchers, but disclosing the findings before having the vendor provide patches would have put a lot people at risk. So when Wyze did eventually communicate and provided us with credible information on their capability to address the issues reported, we decided to allow them time and granted extensions.
Sometimes waiting makes sense. The experts I spoke to, Stamos and Moussouris, both said that balancing security and disclosure was difficult because of how many people were affected and how deeply embedded the computers might be.
A $20 consumer smart home camera is sitting on my shelf. It's easy to stop using that camera, not buy any more of them, and pick a different one if a press release from two years ago is any indication.
It's ironic that the iBaby Monitor example that Bitdefender brings up is a company that was forced to take action. The baby monitor company was forced to fix its security hole three days later after bad publicity.
It's days, not years.
I need to say goodbye to those Wyze earbuds because I'm done with them. I was willing to write off the company's disastrous leak of 2.4 million customers' data as a mistake, but it doesn't look like the company made one here. Customers deserved to know that the camera would be discontinued in 2022, if the flaws were bad enough.