Wyze has made its name offering capable home security products for startlingly low prices. Whereas you might pay $200 for a Google Nest security camera, Wyze offers devices that are almost as good for literally one-tenth the price. It turns out that $20 security camera on your shelf might not be such a good deal. A new disclosure from security firm Bitdefender reveals that the company’s cameras had a major security vulnerability that could allow an attacker to remotely access your video, and Wyze has known about it for three years. Plus, the Wyze V1 is still broken and will not be fixed. It almost goes without saying, but if you’ve got a Wyze V1 around, get rid of it.
Unlike Google, Ring, or the other makers of popular security cameras, Wyze does not make its own hardware. It re-badges products from China with new firmware and app support. It offers cheap security cameras, but also robot vacuums, headphones, smart scales, smartwatches, and more. They’re all priced below competing products and generally are not quite as good. But hey, a $20 security camera? Wyze sold a boatload of them.
The issue lies in how the cameras use their internal microSD card storage. The camera creates a symlink in the www directory, giving the webserver direct access to the videos stored on the camera so you can stream them to your app. However, Wyze implemented no access restrictions in this system, and that means an attacker can use a pair of vulnerabilities to collect the UID (unique identification number) and the ENR (AES encryption key). At that point, they can access your camera as if they were you.
Wyze’s response to this was insufficient. It quietly discontinued the V1 camera early this year, and it patched the newer versions. It said that continuing to use the original cam carried “increased risk.” It didn’t say anything about the risk of using it for the last three years with a gaping security hole. The newer V2 and V3 cameras were patched to block the exploit.
This email from January is the only official communication from Wyze on the security issue.
We’re used to security flaws being patched and/or disclosed in relatively short order, usually measured in weeks or months. But three years? Bitdefender initially reached out to Wyze in March 2019, and it didn’t hear back until November 2020. According to The Verge, Bitdefender gave Wyze some leeway because of the severity of the bug and Wyze’s slow progress toward fixing it. Wyze didn’t even have a security framework in place to address bugs like this until 2021.
But at the end of the day, this is a $20 security camera — not a major investment. It’s one that I have actually used in the past, and I would have appreciated knowing that it was wide open to remote exploitation. I would have happily chucked it in the recycling without a moment’s hesitation. As for newer Wyze products that are supposedly safe, I’m skeptical enough that I won’t plug them in at all. Wyze owes its customers an apology.
Now Read:
