I just threw my Wyze security cameras in the trash. I’m done with this company.
I just learned that for the last three years, Wyze was aware of a vulnerability in its home security cameras that would have allowed hackers to break into your home via the internet – but chose to sweep it under the rug. And the security company that found the vulnerability largely let them do it.
Instead of patching it, instead of fetching it, instead of just, you know, say something So I could stop pointing these cameras at my kids Wyze simply decided to discontinue the WyzeCam v1 this January without a full explanation. But on Tuesday, security research company Bitdefender finally bring light into the darkness why Wyze stopped selling: because someone could access your camera’s SD card over the internet, steal the encryption key and start viewing and downloading the video feed.
Nowhere does Wyze say anything to customers like I do. Not when it put the camera down, not in the three years since Bitdefender brought it to Wyze’s attention in March 2019, and possibly never: Wyze spokesman Kyle Christensen told me the company is already transparent about what the company is doing with dealt with its customers and “completely fixed the problem”. But Wyze only fixed it for newer versions of the WyzeCam, and even then it didn’t finish patching v2 and v3 until January 29, 2022, accordingly Beeping computer.
As far as transparency goes, the most I’ve seen Wyze customers say is that “your continued use of WyzeCam after February 1st, 2022 carries increased risk, is discouraged by Wyze and is entirely at your own risk”. It also sometimes sends vague email messages like this to its customers, which I used to appreciate but now retrospectively question:
When I read those words about “increased risk”. our edge post Office Regarding the WyzeCam v1 discontinuation, I remember thinking it was just referring to that future Security updates – not a major vulnerability that already exists.
Here’s another question though: why on earth wouldn’t Bitdefender disclose this for three whole years when it could have forced Wyze on hand?
According to the security research company own disclosure timeline (PDF)it reached Wyze in March 2019 and didn’t even get one reply to November 2020, one year and eight months later. But Bitdefender chose to remain silent until yesterday.
In case you are wondering, no, this is not normal in the security community. While experts tell me that the concept of a “Responsible Disclosure Timeline” is somewhat outdated and highly situational, we generally measure it days, not years. “The majority of researchers have policies that if they make a good faith effort to reach a provider and don’t receive a response, they will publicly disclose within 30 days,” Alex Stamos, director of the Stanford Internet Observatory and former chief security officer Officer at Facebook, tell me.
“Even the US government has a 45-day disclosure period to prevent vendors from burying bug reports and never fixing them,” writes Katie Moussouris, Founder and CEO of Luta Security and co-author of the international ISO standards for vulnerability disclosure and vulnerability treatment processes.
I asked Bitdefender about it, and PR director Steve Fiore had an explanation, but it doesn’t suit me. Here it is complete:
So serious were our findings that, notwithstanding our usual 90-day grace period extension policy, our decision was that without Wyze’s confirmation and mitigation, releasing this report would potentially expose millions of customers with unknown impacts. Especially since the vendor (us) had no known security process/framework. Based on our findings, Wyze actually implemented one last year (https://www.wyze.com/pages/security-report).
For the same reason, we have delayed the publication of reports (iBaby Monitor M6S cameras) for a long time. The impact of releasing the results combined with our lack of information on the vendor’s ability to address the consequences dictated our wait.
We understand that this is not necessarily common practice among other researchers, but disclosing the results before the vendor provides patches would have put many people at risk. When Wyze finally communicated and provided us with credible information about their ability to fix the reported issues, we decided to give them time and grant extensions.
Waiting sometimes makes sense. The two experts I spoke to, Moussouris and Stamos, grew up independently the notorious CPU vulnerabilities of Meltdown computers As an example of where it was difficult to balance security and disclosure – because many people were concerned about how deeply embedded the computers could be and how difficult they are to fix.
But a $20 consumer smart home camera just sitting on my shelf? If Bitdefender put out a press release two years ago that Wyze had a bug it doesn’t fix, it’s pretty damn easy to stop using that camera, stop buying it, and pick a different one instead. “There is a simple mitigation strategy for affected customers,” says Stamos.
The iBaby Monitor example that Bitdefender cites is also a bit ironic – because that’s actually where Bitdefender is did compel a company to act. When Bitdefender and PCMag revealed that the baby monitor company hadn’t patched their vulnerability, the resulting bad publicity drove them to fix it only three days later.
days, not years.
Now, if you’ll excuse me, I have to say goodbye to you those Wyze earbuds that I liked, because I’m serious about being done with Wyze. I was ready to write off the catastrophic leak of the company’s 2.4 million customer records as a bug, but it doesn’t look like the company made one here. If those flaws were bad enough to make the camera discontinued in 2022, customers should already know that in 2019.
https://www.theverge.com/23003418/wyze-cam-v1-vulnerability-no-patch-bitdefender-responsible-disclosure Knowing that hackers could access your camera remotely for three years, Wyze said nothing