If you have a Wyze security camera, my suggestion would be to rip it out of the wall and throw it in the nearest trashcan. For the past three years, a glaring security vulnerability has sat festering in the company’s V1, V2, and V3 internet-connected cameras — the likes of which would have allowed hackers to access stored video on the devices and watch what was going on. The company apparently knew about this the entire time and was very slow in making moves to patch it. They also neglected to tell anybody.
News of this whole disaster originally broke on Tuesday, when cybersecurity firm Bitdefender published a blog and a white paper revealing the security issue. The flaw, which currently has no official designation, would have allowed a hacker to gain unauthenticated remote access to the contents of a Wyze camera’s SD card. This means that an intruder could quite easily see the video stored inside and even potentially download it. Given that lots of people use these cameras inside their homes as well as externally, the privacy risks inherent in the products are quite disturbing.
Worse still, Bitdefender’s paper reveals that the vulnerability was originally discovered and reported to Wyze back in March of 2019. Bitdefender has also revealed two other previously undisclosed vulnerabilities that had troubled the camera line, an authentication bypass flaw tracked officially as CVE-2019-9564, and a remote code execution vulnerability, CVE-2019-12266. The bugs were patched in previous firmware updates in September 24, 2019 and November 9, 2020, respectively.
Wyze finally issued patches for the SD card vulnerability in a January 29th update, the likes of which fixed the issue for its V2 and V3 cameras. However, Wyze stopped supporting its V1 camera in February, meaning that no more security updates are possible for those cameras and they will always be vulnerable to this uniquely intrusive security risk. Indeed, it appears that the company actually retired the V1 because “hardware limitations” prevented it from effectively issuing a security update to patch these vulnerabilities.
At the time of the V1’s retirement, the company issued a vague warning about how using the outmoded product could lead to an “increased risk,” but didn’t specifically mention anything about a known security concern that could allow hackers to hijack the product’s video feed. That might have been good to know.
The Verge has questioned Bitdefender’s decision not to disclose the security issues earlier. The company’s disclosure timeline provided in its white paper clearly shows that it quite consistently attempted to get Wyze to heed its warnings about the security flaw. But if Bitdefender understood these serious consumer risks for three years, why wait around for Wyze to get on the same page if the company seemed unresponsive? We reached out to the security company for a better understanding of this and will update our story if they respond.
When reached for comment, a Wyze representative reiterated to Gizmodo that the problem areas had been patched. The representative also provided us with a statement. It reads, in part:
At Wyze, we put immense value in our users’ trust in us, and take all security concerns seriously. We are constantly evaluating the security of our systems and take appropriate measures to protect our customers’ privacy. We appreciated the responsible disclosure provided by Bitdefender on these vulnerabilities. We worked with Bitdefender and patched the security issues in our supported products. These updates are already deployed in our latest app and firmware updates.
Here at Gizmodo, we’ve actually written about the Wyze cameras a little bit. The cameras had a reputation for being a cheaper but effective alternative to more well-known home security brands like Nest. But those selling points probably have little appeal now. In short: it’s hard to imagine how customers are supposed to trust Wyze now and, for a security company, trust is pretty much everything.