- Wyze Cam devices had a huge security flaw for years.
- The vulnerability allowed hackers to gain unauthorized access to Wyze’s home security cameras.
- The company knew about the problem and did nothing.
Update: March 31, 2022 (11:07 PM ET): Responding to the report about the vulnerability in its security cameras, Wyze has put out a blog post explaining its side of the story.
“We appreciated the responsible disclosure provided by Bitdefender on these vulnerabilities and worked directly with them to patch the security issues in our supported products before the public report,” the company notes.
Wyze goes on to say that for someone to access your camera feed they would need access to your local network. So, you would have had to expose your local network to either a hacker directly or the internet at large for these vulnerabilities to be exploitable remotely.
“We issued the first patch in the month following our notification, and over time we continued to mitigate the risk of these exploits with additional patches in the months that followed,” says Wyze.
It also has an explanation for why it didn’t tell its customers about the security flaw. However, it doesn’t address the fact that the fault was hidden from users for years. Here’s what Wyze had to say:
You might be wondering, “Why am I just hearing about this now?” Bitdefender and Wyze both take the safety of affected users seriously. Knowing that we were actively working on risk mitigation and corrective updates, we came to the conclusion together that it was safest to be prudent about the details until the vulnerabilities were fixed.
Original article: March 31, 2022 (4:30 PM ET): If you own any of the Wyze Cam devices — the V1, V2, or V3 — someone could have easily watched you in secret and even downloaded the feed from the SD card of your camera. What’s worse? For three years, Wyze knew about the problem and chose not to acknowledge it, fix it, or even inform affected customers.
The software flaw in Wyze’s cameras was discovered by folks over at Bitdefender. The security research firm claims it informed Wyze about the problem in March 2019. However, the Seattle-based company failed to respond until November 2020. Two years later, in February 2022, Wyze discontinued the Wyze Cam V1, citing the camera’s inability to support a security update.
“Your continued use of the Wyze Cam v1 after February 1, 2022, carries increased risk, is discouraged by Wyze, and is entirely at your own risk,” the company said in an email to customers. However, it still didn’t disclose the fact that the cameras were essentially secret peepholes for hackers and that it knew about the issue. As Bleeping Computer notes, Wyze Cam owners might still be running a vulnerable firmware version.
Also see: The best security cameras you can get
When asked why it kept silent about such a massive security breach, Wyze spokesperson Kyle Christensen told The Verge that the company has been completely transparent with its customers. Christensen also said that the issue had been patched. However, the update that removes the vulnerability is only available for the Wyze Cam V2 and V3, released in 2018 and 2020, respectively.
According to Wyze’s Play Store listing, the company has over 5 million users. It also makes multiple other smart home security products such as video doorbells, motion sensors, and more. For a firm so vested in providing security solutions and services that apparently don’t rely on overseas servers, Wyze sure has its work cut out for it now that these findings are out in the open.
Meanwhile, If you are a Wyze user and are worried about the security of your camera, you can head to the company’s official portal to check for the latest firmware. If you have the Wyze Cam V1, you’re out of luck. It would be best if you stopped using the camera altogether.