Media outlets are reporting that Wyze knew for three years about a security flaw that rendered its security cameras vulnerable to hackers. But in all that time, it did not tell its customers about the problem.
News of the flaw broke on Tuesday. Wyze, long know for its inexpensive but useful security cameras, has since responded to the controversy, as noted below.
Wyze knew of cameras’ vulnerability to hackers for 3 years
On Tuesday, cybersecurity firm Bitdefender published a blog post and white paper detailing the security issue. The flaw would have allowed a hacker to gain unauthenticated remote access to the contents of a Wyze V1 camera’s SD card. So an intruder could see and potentially download the video stored there.
Even worse, Bitdefender’s paper shows that Wyze learned of the vulnerability to its V1 camera back in March 2019. Bitdefender has also revealed two other undisclosed Wyze camera vulnerabilities that were patched in September 2019 and November 2020.
Wyze’s response
In response to the newly released but longstanding vulnerability, Wyze published a blog post. In part, it said for hackers to exploit the security flaw, they would have to compromise the user’s local network or gain access via the open internet. As the company put it:
We first would like to let our users know that these vulnerabilities required some form of local network access. So, you would have had to expose your local network to either the bad actor directly or the Internet at large for these vulnerabilities to be exploitable remotely (rest assured you shouldn’t and likely don’t have a setup like this).
That suggests a relatively small likelihood of a hacker gaining access to a Wyze camera. And, if you’ve updated the firmware on your V2 or V3 cameras, the vulnerability is now fixed, as of a January 29 update. But V1 cameras, which Wyze stopped supporting in February, remain at risk. Wyze referred to it:
Unfortunately, despite extensive efforts stretching into 2022, we found Wyze Cam v1 (last sold in March 2018) couldn’t support the necessary security updates. The limited camera memory that prompted us to create Wyze Cam v2 directly prevented patching these issues on that product.
But no disclosure for 3 years?
But the fact remains that the company failed to disclose vulnerabilities to customers for three years. It’s not unusual for companies to hesitate before revealing a flaw for weeks. That’s weeks, not years. And Wyze commented on that, too:
You might be wondering, ‘Why am I just hearing about this now?’ Bitdefender and Wyze both take the safety of affected users seriously. Knowing that we were actively working on risk mitigation and corrective updates, we came to the conclusion together that it was safest to be prudent about the details until the vulnerabilities were fixed.
Given the frequent home use of security cameras like the ones Wyze makes, the ramifications of the security flaw and the failure to disclose it seem serious — to both privacy and personal security. If you’re a customer, would you trust Wyze going forward? Let us know in the comments below.
