While clearly far from ideal, any product is susceptible to being hacked. Even something that is minimally cloud-dependent.
What’s egregious is Wyze’s apparent decision to conceal this from their users for three years - especially those with V1 cameras.
Sounds like the security firm that found the exploit could’ve sounded an alarm sooner too.
it requires the hacker to first be connected to the same network at the camera.
if you have a hacker connecting to your home network, you have bigger issues
How would you know if you had hackers connected to your network? Is there anything that could have been done on the user end to prevent that from happening?
unless you are opening port 80 (needed for this hacked access) on your wifi network specifically or have no wifi security most likely no one is on your home network.
As @kahn-hubitat mentioned, as long as you’re using a password on your wifi network and you don’t take certain steps to allow devices on your LAN to be accessed directly from the internet (like port forwarding), your router’s job is to prevent random people from accessing your LAN. More specifically the firewall in your router.
It’s still possible that other vulnerabilities could cause a device on your LAN to become compromised remotely. But from what we have heard of this one, the camera is vulnerable only if a bad actor has already accessed your LAN through some other means.
Regardless of how dangerous this vulnerability is, the lack of disclosure is very troubling. Do they withold information on issues as a general practice and this is one example? This certainly could be seen as confirming that they do. Responsible and resonably expected communication did not happen.
correct their bad.. but i would not jump thru hoops and thow away all their cameras becuase of this.. just my opinon.. if you are using any cloud cameras like these you already assume a great deal of risk.. I would be more worried about your clips stored online being compromised then someone hacked into your home net..
Very true...these devices come w/known risks, and deciding how to react (to the general issue of trust of the company) is something each person has to figure out.
I have Ring cams, but I only use them outside except for one special-purpose cam. and I'm just not concerned about outside access, if anyone wants to watch me gardening they are welcome to it. Keeping them outside is my generic "Don't trust cloud devices" security mitigation. The one internal cam I do have is focused tightly on my dogs' bed, camera is off when I'm home, on when I'm away. Only thing it can see is their bed. If someone wants to watch them sleep, go for it. They are darn cute!
I am sure that if I had Wyze cameras they would be gone very soon. Talk is cheap, since I'm not currently using them, but I do think that's what I would do, I can afford the change, and would not feel that I could trust Wyze to do their part to protect me.
I wouldn't tell anyone else they had to or should do that of course. I realize people at Wyze (or any company) need to have some space to make honest mistakes, but the duration of their fault (three years!) is too much for me to accept as a random error or momentary failing.
I did. I took them out a few years ago when there were reports of them contacting servers in China. Didn't feel comfortable with that happening, even though Wyze had a reasonable explanation at the time.
Agreed, that’s the most disappointing part of the story, IMO. Bad things happen, even mistakes. Nobody’s perfect. But if the response includes obfuscating and trying to brush it under a rug, not cool.
I’ve never had a need to purchase any Wyze stuff, and now based on this incident, I probably won’t in the future.
Im using Fing (app, not box) that will tell you of any new devces joining your network.
I guess you really can't win here. Even if you have a good admin password on your router, and have your wifi using security, if your camera clips are stored in the cloud who really knows who has access to them.
Yup. The cloud is really just someone else’s computer.
depending on your network setup, flashing the wyze cams with their RTSP firmware or dafang to enable RTSP, then disable its access out to the internet (through your router) and point it to something like zoneminder/blue iris is still a cheaper option than most other cameras. i'm sure this comment won't age well over time, but i still find value in the cameras.
should the company have disclosed the vulnerability? yea. why did they wait 3 years? it seems like they told wyze and that's why the v1 cameras were discontinued though, so at least some action was taken, but keeping the consumer in the dark is not cool