Tech
It took Wyze years to fix galling flaws in their home cameras
Bitdefender says the company knew about flaws that allowed hackers to access cameras since March 2019, but didn’t do anything about it until this year.
So much for keeping us safe. Bitdefender recently put out a research paper showing that Wyze’s home security cameras have had some major security flaws in them for a while.
The Bitdefender whitepaper detailed three main vulnerabilities that allowed hackers to control the camera remotely, letting them turn it on and off, disable recording, and even access the contents of the SD card. At least the live audio and video feed was encrypted, so hackers wouldn’t be able to watch you in your home in real time. The worst part about this is that Wyze knew about this for nearly three years since Bitdefender’s disclosure timeline said they contacted Wyze twice in March 2019.
According to Bitdefender’s timeline, Wyze fixed the vulnerability that lets outside attackers bypass the login and to use the camera remotely in September 2019. It was only in November 2020 that Wyze actually acknowledged receipt of Bitdefender’s reports. As for fixing the security flaw that let hackers access the SD card, Wyze corrected this serious mistake in January 2022 with a firmware update. That’s right, nearly three years after Wyze was first informed of this.
V1 still vulnerable — Wyze’s cybersecurity team told Bleeping Computer that they worked with Bitdefender to patch these security issues in their “supported products.” But as Bitdefender wrote in its paper, only Wyze’s Cam v2 and v3 have been patched against the unauthenticated remote access to the SD card, and not the Wyze Cam v1.
Wyze retired the Wyze Cam v1 in February 2022, saying it could “no longer support a necessary security update.” So there are still some first edition Wyze security cameras out there that still have this vulnerability on it, with no hopes for a fix since it’s discontinued. There’s also the worry that some customers with the Wyze Cam v2 or v3 just never updated their devices, leaving them still vulnerable.
Unwise actions — The Verge also asked Bitdefender why it took them three years to release their findings, to which they responded that they didn’t want to put a lot of people at risk. But it’s hardly Bitdefender’s fault for Wyze’s vulnerability issues and its lack of transparency surrounding it. This isn’t Wyze’s first time leaving its customers vulnerable since it had a huge data breach affecting 2.4 million customers in December 2019.
While the more recent Wyze security cams have been updated, the way they handled this whole security debacle is a bad look. Security issues are bound to crop up in any connected product, and the least companies can do is be transparent about them.
