Wyze Didn't Completely Fix Flaws in Security Cameras for 3 Years
Manufacturer faulted for slow response and lack of transparency to customers
Cybersecurity firm Bitdefender published a report (PDF) this week detailing three security vulnerabilities it found in Wyze security cameras, leading to a flurry of criticism around both the cybersecurity firm and the manufacturer.
While Wyze finished patching the vulnerabilities in January 2022, both Bitdefender and Wyze have been criticized for their handling of the findings, as Bitdefender initially alerted Wyze to the vulnerabilities three years ago in March 2019. In addition to making security software, Bitdefender has a research arm that tests products for vulnerabilities.
The first vulnerability allows hackers to bypass the account log-in process and access users’ cameras. The second allows hackers to run their own software code on exposed cameras. And the third allows hackers to access saved footage on cameras that use an SD card. (Wyze also offers cloud video storage.)
According to Wyze’s public statement on the findings, all the vulnerabilities would require hackers to have access to the home’s WiFi network.
While Wyze has patched all the other vulnerabilities, the company was unable to patch the SD card vulnerability in the Wyze Cam V1 because of hardware limitations. As a result, Wyze ended support for the camera in February 2022 and advised its customers to stop using the camera, but at the time it did not specify what issue it was unable to patch or how serious it was.
To better understand Bitdefender and Wyze’s actions, it’s important to understand how Bitdefender’s disclosure to Wyze played out over the past three years. Here’s a brief rundown based on Bitdefender’s report and Wyze’s statements.
- March 2019: Bitdefender sends its findings to Wyze but doesn’t receive a response after two attempts to reach the company.
- April 2019: Wyze releases updates for Wyze Cam V2 and Wyze Cam Pan V1 that reduce, but don’t eliminate, the risks of the SD card vulnerability.
- September 2019: Wyze releases an update for Wyze Cam V2 that fixes the account log-in bypass vulnerability.
- November 2020: Wyze updates its smartphone app to fix the vulnerability that allows hackers to run their own code on cameras and finally responds to Bitdefender.
- August and September 2021: Bitdefender follows up with Wyze on progress of fixes and informs the company of its plan to publish its findings.
- January 2022: Wyze releases firmware updates to patch the SD card vulnerability on all affected cameras except the Wyze Cam V1. It announces it will end support for the camera on Feb. 1, 2022, and advises owners to stop using it but does not disclose the issue it was unable to fix.
- March 2022: Bitdefender publishes its findings.
It’s important to note that at the time Wyze fixed the first vulnerability in September 2019, Wyze had stopped selling the Wyze Cam V1 and only offered the Wyze Cam Pan V1 and Wyze Cam V2. At the time it fixed the second vulnerability in November 2020, the company also sold the Wyze Cam V3. The company released the Wyze Cam Pan V2 in September 2021.
“Wyze claims to ‘put immense value in our users’ trust in us,’ but the end of this three-year debacle suggests otherwise,” says Jonathan Schwantes, senior policy counsel at Consumer Reports. “This is a classic case of too little, too late. The good news is that the newer versions of their security cameras have fixed the vulnerability. If Wyze truly takes security concerns seriously, it would provide those improved versions to consumers who own the V1 cam free of charge.”
When Wyze announced it that would end support for the Wyze Cam V1 in January 2022 (it stopped selling the camera in March 2018), it offered affected customers a $3 discount on a new Wyze Cam and gave them about one week’s notice that support would end. This goes against Wyze’s End-of-Life Policy, which states it will provide “bug fixes, maintenance releases, workarounds or patches for critical bugs” for one year after it announces the product’s end-of-life date.
We reached out to Bitdefender and Wyze to ask about the vulnerabilities and the long timeline for disclosing and fixing them.
“From our vantage point our visibility was limited to what Wyze could do about it at the time, having had no contact,” says Dan Berte, director of IoT security at Bitdefender. “We decided not to publish before we could reach them and make sure there’s a fix. When the vendor eventually replied, we allowed more time for patching based on a convincing case [that] Wyze could address them.”
Wyze did not answer our questions and instead pointed to its public statement, which says: “You might be wondering, ‘Why am I just hearing about this now?’ Bitdefender and Wyze both take the safety of affected users seriously. Knowing that we were actively working on risk mitigation and corrective updates, we came to the conclusion together that it was safest to be prudent about the details until the vulnerabilities were fixed.”
The statement also offers a reason for why it didn’t disclose the issues that prompted it to end support for Wyze Cam V1: “For security reasons, we again chose to remain prudent about the specific reason why until now to limit the risk to all of our affected users across affected models. We strongly suggest that our customers no longer use EOL products as security and other critical updates are no longer provided, and we continue to urge Wyze Cam V1 owners to discontinue the use of these products.”
This is not the first time Wyze has dealt with security issues. The company suffered a data breach in December 2019 that exposed the data of 2.4 million Wyze customers.
For more information on safeguarding your home security cameras, see our guide to preventing security cameras from getting hacked.