Wyze security cameras contain vulnerabilities that have not been fully patched in three years

0

It is important to note that by the time Wyze patched the first vulnerability in September 2019, Wyze had stopped selling the Wyze Cam V1 and only offered the Wyze Cam Pan V1 and Wyze Cam V2. At the time it patched the second vulnerability in November 2020, the company also sold the Wyze Cam V3. The company launched the Wyze Cam Pan V2 in September 2021.

“Wyze claims to ‘place immense value on our users’ trust in us,’ but the end of this three-year debacle suggests otherwise,” says Jonathan Schwantes, senior policy adviser for Consumer Reports. “It’s a classic case of too little, too late. The good news is that newer versions of their security cameras have fixed the vulnerability. If Wyze is serious about security issues, it will provide these upgraded versions for free to consumers who own the camera V1.

When Wyze announced that it would end support for the Wyze Cam V1 in January 2022 (it stopped selling the camera in March 2018), it offered affected customers a $3 discount on a new Wyze Cam and gave them about a week’s notice for support to end. It goes against Wyze End of Life Policywhich states that it will provide “bug fixes, maintenance releases, workarounds, or fixes for critical bugs” for one year after the product’s end-of-life date is announced.

We reached out to Bitdefender and Wyze to ask about the vulnerabilities and the long delay in disclosing and fixing them.

“From our point of view, our visibility was limited to what Wyze could do about it at the time, having had no contact,” explains Dan Berte, director of IoT security at Bitdefender. “We’ve decided not to post until we can reach them and make sure there’s a fix. When the vendor finally responded, we granted more time for fixes based on a compelling case [that] Wyze could address them.

Wyze did not answer our questions and instead pointed out its public statement, which reads: “You might be wondering, ‘Why am I hearing about this now?’ Both Bitdefender and Wyze take the security of affected users seriously. Knowing that we are actively working on risk mitigation and patching updates, we have come to the conclusion together that it is safest to be cautious on details until the vulnerabilities are fixed.

The statement also offers a reason why it did not disclose the issues that prompted it to end support for Wyze Cam V1: risk to all of our affected users on affected models. We strongly suggest our customers stop using EOL products as security updates and other reviews are no longer provided, and we continue to urge Wyze Cam V1 owners to stop using these products.

This isn’t the first time Wyze has faced security issues. The company suffered a data breach in December 2019 which exposed data from 2.4 million Wyze customers.

For more information on protecting your home security cameras, see our guide to preventing security cameras from being hacked.

Share.

Comments are closed.