UPDATE April 1, 2022. Wyze has published a blog post in response to the controversy surrounding its recently disclosed security vulnerabilities. You can read it in full here. One thing that is emphasized here is the fact that, for the security flaws to be exploitable, a user’s local network would need to be compromised by a hacker, or their network would need to be exposed to the open internet:
“We first would like to let our users know that these vulnerabilities required some form of local network access. So, you would have had to expose your local network to either the bad actor directly or the Internet at large for these vulnerabilities to be exploitable remotely (rest assured you shouldn’t and likely don’t have a setup like this).”
So, yes, it should be noted that the likelihood that your camera has actually been hacked is probably relatively small. And, if you’ve updated the firmware on your V2 or V3 cameras, they are now safe for use. The V1s, however, remain vulnerable to these issues—and will remain so for the foreseeable future. This is also extrapolated upon in the Wyze update:
Unfortunately, despite extensive efforts stretching into 2022, we found Wyze Cam v1 (last sold in March 2018) couldn’t support the necessary security updates. The limited camera memory that prompted us to create Wyze Cam v2 directly prevented patching these issues on that product.
The broader point still stands, however, that the company failed to disclose these vulnerabilities to its customers for three years. Here, the company has also responded:
You might be wondering, “Why am I just hearing about this now?” Bitdefender and Wyze both take the safety of affected users seriously. Knowing that we were actively working on risk mitigation and corrective updates, we came to the conclusion together that it was safest to be prudent about the details until the vulnerabilities were fixed.
If you have a Wyze security camera, my suggestion would be to rip it out of the wall and throw it in the nearest trashcan. For the past three years, a glaring security vulnerability has sat festering in the company’s V1, V2, and V3 internet-connected cameras—the likes of which would have allowed hackers to access stored video on the devices and watch what was going on. The company apparently knew about this the entire time and was very slow in making moves to patch it. They also neglected to tell anybody.
News of this whole disaster originally broke on Tuesday, when cybersecurity firm Bitdefender published a blog and a white paper revealing the security issue. The flaw, which currently has no official designation, would have allowed a hacker to gain unauthenticated remote access to the contents of a Wyze camera’s SD card. This means that an intruder could quite easily see the video stored inside and even potentially download it. Given that lots of people use these cameras inside their homes as well as externally, the privacy risks inherent in the products are quite disturbing.
Worse still, Bitdefender’s paper reveals that the vulnerability was originally discovered and reported to Wyze back in March of 2019. Bitdefender has also revealed two other previously undisclosed vulnerabilities that had troubled the camera line, an authentication bypass flaw tracked officially as CVE-2019-9564, and a remote code execution vulnerability, CVE-2019-12266. The bugs were patched in previous firmware updates in September 24, 2019 and November 9, 2020, respectively.
Wyze finally issued patches for the SD card vulnerability in a January 29th update, the likes of which fixed the issue for its V2 and V3 cameras. However, Wyze stopped supporting its V1 camera in February, meaning that no more security updates are possible for those cameras and they will always be vulnerable to this uniquely intrusive security risk. Indeed, it appears that the company actually retired the V1 because “hardware limitations” prevented it from effectively issuing a security update to patch these vulnerabilities.
At the time of the V1's retirement, the company issued a vague warning about how using the outmoded product could lead to an “increased risk,” but didn’t specifically mention anything about a known security concern that could allow hackers to hijack the product’s video feed. That might have been good to know.
The Verge has also questioned Bitdefender’s decision not to disclose the security issues earlier. The company’s disclosure timeline provided in its white paper clearly shows that it quite consistently attempted to get Wyze to heed its warnings about the security flaw. But if Bitdefender understood these serious consumer risks for three years, why wait around for Wyze to get on the same page if the company seemed unresponsive? We reached out to the security company for a better understanding of this and will update our story if they respond.
When reached for comment, a Wyze representative reiterated to Gizmodo that the problem areas had been patched. The representative also provided us with a statement. It reads, in part:
At Wyze, we put immense value in our users’ trust in us, and take all security concerns seriously. We are constantly evaluating the security of our systems and take appropriate measures to protect our customers’ privacy. We appreciated the responsible disclosure provided by Bitdefender on these vulnerabilities. We worked with Bitdefender and patched the security issues in our supported products. These updates are already deployed in our latest app and firmware updates.
Here at Gizmodo, we’ve actually written about the Wyze cameras a little bit. The cameras had a reputation for being a cheaper but effective alternative to more well-known home security brands like Nest. But those selling points probably have little appeal now. In short: it’s hard to imagine how customers are supposed to trust Wyze after this and, for a security company, trust is pretty much everything.
We have updated this post to provide additional context around the Wyze security camera vulnerabilities.