What you need to know
- Wyze's security camera line was susceptible to hacking for years.
- The company knew about the major security flaw, but it didn't tell customers.
- Wyze only ended support for some of the affected cameras since it couldn't roll out a fix due to hardware limitations.
If you're still using a Wyze Cam v1 right now, it's probably a good idea to stop using the security camera immediately. It appears that a major vulnerability allowed intruders to access your stored videos or watch you in secret, and Wyze didn't inform customers in the three years since it first learned about the security flaw.
Bitdefender (opens in new tab) has revealed that it discovered a vulnerability in Wyze's Cam security camera line in March 2019 and notified the company about it (via The Verge (opens in new tab)). However, Wyze failed to respond until November 2020.
"While looking into the Wyze Cam device, we identified several vulnerabilities that let an outside attacker access the camera feed or execute malicious code to further compromise the device," Bitdefender said.
Wyze said in a blog post (opens in new tab) that the scope of the flaw is limited since a hacker would first need to gain access to your home Wi-Fi before they can view the camera's stored videos.
"We first would like to let our users know that these vulnerabilities required some form of local network access," Wyze explained. "So, you would have had to expose your local network to either the bad actor directly or the Internet at large for these vulnerabilities to be exploitable remotely."
Fortunately for owners of Wyze's best indoor security cameras (opens in new tab), including the Cam v2 and v3, a patch was released in late January (opens in new tab), as per Bleeping Computer (opens in new tab). But this also means the company was slow in taking steps to fix the flaw. For the past three years, Wyze's Cam v1, v2, and v3 cameras have been susceptible to hackers.
However, the Cam v1 was left out in the cold, with Wyze simply ending support for it in February since that particular model "couldn’t support the necessary security updates" due to its limited memory. While the issue has been patched for newer models, Wyze never informed customers about the nature of the security flaw, keeping them in the dark.
"Bitdefender and Wyze both take the safety of affected users seriously," Wyze said in its blog. "Knowing that we were actively working on risk mitigation and corrective updates, we came to the conclusion together that it was safest to be prudent about the details until the vulnerabilities were fixed."
It's unclear whether the flaw was exploited, but it would have given intruders access to the contents of your camera's SD card.
The Verge also raised questions about Bitdefender's late disclosure. Its PR director, Steve Fiore, told the news outlet that "disclosing the findings before having the vendor provide patches would have put a lot people at risk."
However, it's not typical for security researchers to wait three years before disclosing vulnerabilities.
