Wyze Left Security Cameras Open to Hacking for Three Years
Wyze has made its name offering capable home security products for startlingly low prices. Whereas you might pay $200 for a Google Nest security camera, Wyze offers devices that are almost as good for literally one-tenth the price. It turns out that $20 security camera on your shelf might not be such a good deal. A new disclosure from security firm Bitdefender reveals that the company’s cameras had a major security vulnerability that could allow an attacker to remotely access your video, and Wyze has known about it for three years. Plus, the Wyze V1 is still broken and will not be fixed. It almost goes without saying, but if you’ve got a Wyze V1 around, get rid of it.
Unlike Google, Ring, or the other makers of popular security cameras, Wyze does not make its own hardware. It re-badges products from China with new firmware and app support. It offers cheap security cameras, but also robot vacuums, headphones, smart scales, smartwatches, and more. They’re all priced below competing products and generally are not quite as good. But hey, a $20 security camera? Wyze sold a boatload of them.
The issue lies in how the cameras use their internal microSD card storage. The camera creates a symlink in the www directory, giving the webserver direct access to the videos stored on the camera so you can stream them to your app. However, Wyze implemented no access restrictions in this system, and that means an attacker can use a pair of vulnerabilities to collect the UID (unique identification number) and the ENR (AES encryption key). At that point, they can access your camera as if they were you.
Wyze’s response to this was insufficient. It quietly discontinued the V1 camera early this year, and it patched the newer versions. It said that continuing to use the original cam carried “increased risk.” It didn’t say anything about the risk of using it for the last three years with a gaping security hole. The newer V2 and V3 cameras were patched to block the exploit.
We’re used to security flaws being patched and/or disclosed in relatively short order, usually measured in weeks or months. But three years? Bitdefender initially reached out to Wyze in March 2019, and it didn’t hear back until November 2020. According to The Verge, Bitdefender gave Wyze some leeway because of the severity of the bug and Wyze’s slow progress toward fixing it. Wyze didn’t even have a security framework in place to address bugs like this until 2021.
But at the end of the day, this is a $20 security camera — not a major investment. It’s one that I have actually used in the past, and I would have appreciated knowing that it was wide open to remote exploitation. I would have happily chucked it in the recycling without a moment’s hesitation. As for newer Wyze products that are supposedly safe, I’m skeptical enough that I won’t plug them in at all. Wyze owes its customers an apology.
Continue reading
Review: The Oculus Quest 2 Could Be the Tipping Point for VR Mass Adoption
The Oculus Quest 2 is now available, and it's an improvement over the original in every way that matters. And yet, it's $100 less expensive than the last release. Having spent some time with the Quest 2, I believe we might look back on it as the headset that finally made VR accessible to mainstream consumers.
AMD Buys FPGA developer Xilinx in $35 Billion Deal
The deal, which we discussed earlier this month, will give AMD access to new markets that it hasn't previously played in, including FPGAs and artificial intelligence.
AMD’s New Radeon RX 6000 Series Is Optimized to Battle Ampere
AMD unveiled its RX 6000 series today. For the first time since it bought ATI in 2006, there will be some specific advantages to running AMD GPUs in AMD platforms.
VIA Technologies, Zhaoxin Strengthen x86 CPU Development Ties
VIA and Zhaoxin are deepening their strategic partnership with additional IP transfers, intended to accelerate long-term product development.