I just tossed my Wyze security cameras in the trash. I’m done with this business.
I just learned that for the past three yearsWyze is fully aware of a vulnerability in his home security cameras that allowed hackers to look into your home over the internet, but chose to sweep it under the rug. And the security company that found the vulnerability largely let them do it.
Instead of patching it, instead of recalling it, instead of just, you know, to say something so I couldn’t point these cameras at my kids anymore, Wyze decided in January to discontinue WyzeCam v1 without full explanation. But on Tuesday, security research firm Bitdefender finally shed light on why Wyze stopped selling it: because someone could access your camera’s SD card over the Internet, steal the encryption key, and start viewing and downloading the video feed.
Nowhere does Wyze say such a thing to customers like me. Not when it shut down the camera, not in the three years since Bitdefender brought it to Wyze’s attention in March 2019, and possibly never: Wyze spokesperson Kyle Christensen told me that as far as the company is concerned, it’s already been transparent with its customers. and has “fully corrected” the problem. But Wyze only corrected it for newer versions of the WyzeCam, and even then it didn’t finish patching v2 and v3 until January 29, 2022, according to BleepingComputer†
As for transparency, the most I’ve seen Wyze tell customers was that “Your continued use of the WyzeCam after February 1, 2022 carries an increased risk, is discouraged by Wyze and is entirely at your own risk.” It also sometimes sends vague emails like this to its customers, which I used to appreciate, but now ask retroactively:
When I read those words about “increased risk” in our roadside post about the WyzeCam v1 discontinuation, I remember I thought it just referred to future security updates — not a major vulnerability that already exists.
Here’s another question, though: why on earth wouldn’t Bitdefender disclose this for three years when it could have forced Wyze’s hand?
According to its security research disclosure timeline (PDF), it contacted Wyze in March 2019 and didn’t even get a response. reply until November 2020, one year and eight months later. Still, Bitdefender chose to remain silent until yesterday.
In case you’re wondering, no, that’s not normal in the security community. While experts tell me that the concept of a “responsible disclosure timeline” is a bit outdated and highly dependent on the situation, we generally measure in to dawn, not years. “Most investigators have a policy of making public disclosures within 30 days if they try in good faith to reach a supplier and get no response,” said Alex Stamos, director of the Stanford Internet Observatory and former chief security officer. on Facebook, tells me.
“Even the US government has a standard disclosure deadline of 45 days to prevent vendors from burying bug reports and never fixing them,” writes Katie Moussouris, founder and CEO of Luta Security and co-author of the ISO International Standards for Vulnerability Disclosure and Vulnerability Handling.
I asked Bitdefender about this, and PR director Steve Fiore had an explanation, but it doesn’t suit me. Here it is in full:
Our findings were so serious that, regardless of our usual policy of 90-day-with-grace-period extensions, our decision was that publishing this report without Wyze’s acknowledgment and restriction would potentially expose millions of customers with unknown implications. Mainly because the supplier did not have a security process / framework (known to us). Wyze even implemented one last year as a result of our findings (https://www.wyze.com/pages/security-report†
For the same reason, we have postponed the publication of reports (iBaby Monitor M6S cameras) for an extended period of time. The impact of making the findings public, coupled with our lack of information about the supplier’s ability to address the impact, dictated our wait.
We understand this isn’t necessarily common among other researchers, but making the findings public before the vendor provides patches would have put many people at risk. So when Wyze finally communicated and gave us credible information about their ability to address the reported issues, we decided to give them time and allow them to delay.
Sometimes it makes sense to wait. The two experts I spoke to, Moussouris and Stamos, independently raised the infamous CPU vulnerabilities of the Meltdown computer as an example of where it was difficult to balance security and disclosure – due to the number of people who was affected, how deeply embedded the computers were, and how difficult they are to repair.
But a $20 consumer smart home camera that just sits on my shelf? If Bitdefender issued a press release two years ago that Wyze had a bug it won’t fix, it’s damn easy to stop using that camera, buy one more, and pick another one instead. “There is an easy mitigation strategy for affected customers,” Stamos says.
The iBaby Monitor example Bitdefender brings up is also a bit ironic – because there, Bitdefender actually did compel a company to act. When Bitdefender and PCMag Revealed that the baby monitor company hadn’t patched its vulnerability, the resulting bad publicity forced them to fix it just three days later†
Days, not years.
Now if you’ll excuse me, I have to say goodbye to those Wyze earbuds I used to like because I’m seriously done with Wyze. I was willing to write off the company’s disastrous leak of 2.4 million customer data as a bug, but it doesn’t look like the company made a mistake here. If these flaws were bad enough for the camera to be discontinued in 2022, customers deserved to know in 2019.