Wyze Left Security Cameras Open to Hacking for Three Years

Wyze Left Security Cameras Open to Hacking for Three Years

Wyze has made its name offering capable home security products for startlingly low prices. Whereas you might pay $200 for a Google Nest security camera, Wyze offers devices that are almost as good for literally one-tenth the price. It turns out that $20 security camera on your shelf might not be such a good deal. A new disclosure from security firm Bitdefender reveals that the company’s cameras had a major security vulnerability that could allow an attacker to remotely access your video, and Wyze has known about it for three years. Plus, the Wyze V1 is still broken and will not be fixed. It almost goes without saying, but if you’ve got a Wyze V1 around, get rid of it.

Unlike Google, Ring, or the other makers of popular security cameras, Wyze does not make its own hardware. It re-badges products from China with new firmware and app support. It offers cheap security cameras, but also robot vacuums, headphones, smart scales, smartwatches, and more. They’re all priced below competing products and generally are not quite as good. But hey, a $20 security camera? Wyze sold a boatload of them.

The issue lies in how the cameras use their internal microSD card storage. The camera creates a symlink in the www directory, giving the webserver direct access to the videos stored on the camera so you can stream them to your app. However, Wyze implemented no access restrictions in this system, and that means an attacker can use a pair of vulnerabilities to collect the UID (unique identification number) and the ENR (AES encryption key). At that point, they can access your camera as if they were you.

Wyze’s response to this was insufficient. It quietly discontinued the V1 camera early this year, and it patched the newer versions. It said that continuing to use the original cam carried “increased risk.” It didn’t say anything about the risk of using it for the last three years with a gaping security hole. The newer V2 and V3 cameras were patched to block the exploit.

Wyze Left Security Cameras Open to Hacking for Three Years

We’re used to security flaws being patched and/or disclosed in relatively short order, usually measured in weeks or months. But three years? Bitdefender initially reached out to Wyze in March 2019, and it didn’t hear back until November 2020. According to The Verge, Bitdefender gave Wyze some leeway because of the severity of the bug and Wyze’s slow progress toward fixing it. Wyze didn’t even have a security framework in place to address bugs like this until 2021.

But at the end of the day, this is a $20 security camera — not a major investment. It’s one that I have actually used in the past, and I would have appreciated knowing that it was wide open to remote exploitation. I would have happily chucked it in the recycling without a moment’s hesitation. As for newer Wyze products that are supposedly safe, I’m skeptical enough that I won’t plug them in at all. Wyze owes its customers an apology.

Continue reading

The Best Smart Home Security Systems
The Best Smart Home Security Systems

Once a niche business with a few traditional players and some startups, home security systems are now a major battleground for not just security companies, but several internet giants. We round up highlights of the most popular options for 2020.

Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs
Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs

Intel, AMD, and Qualcomm are working to make Pluton part of their upcoming designs, which should make PCs more difficult to hack, but it also bakes Microsoft technology into your hardware.

Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019
Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019

SolarWinds, the company at the center of the massive hack that hit US government agencies and corporations, doesn't exactly use cutting-edge password techniques.

A File Sharing App With 1 Billion Downloads Has a Major Security Flaw
A File Sharing App With 1 Billion Downloads Has a Major Security Flaw

Trend Micro says SHAREit is a security nightmare that could allow intruders to sneak a peek at your data or even install malware. Perhaps most troublingly, the developers have not responded to Trend Micro's warnings.