It’s time to treat your home security cameras as compromised
At the end of March, Bitdefender, one of the leading cybersecurity research companies, released a damning report on Wyze, one of the leading security brands in the market. The load: as the manufacturer market-shaking device that sold over a million units – and which Wyze did not failed to fix or alert users for nearly three years.which allowed, among other things, unauthorized access to images stored in its wildly popular Wyze Cam v1 – a
Wyze – and, frankly, Bitdefender, which informed Wyze of the issue in 2019 – both deserve criticism for not disclosing such a vulnerability for so long. A Bitdefender representative told me that they chose not to publish the flaw until Wyze responded to the notification “to avoid publishing a zero-day that could impact millions of people.” Once Wyze responded, Bitdefender paused the release while the company worked on a fix. Wyze provided a similar reasoning for withholding customer information in its blog post on the Bitdefender report. Yet for non-essential devices like $20 smart cameras, the customer’s right to know their exposure outweighs the impulse to minimize the damage from the vulnerability – the simple act of stopping use of the device. he device is an easy choice for many customers, after all. In short, Bitdefender should have publicly disclosed the issue years ago.
But this controversy is not the first of its kind, and it will not be the last. Major security brandsto tech upstarts like and recently landed in hot water when private streams and pictures turned out to be less private than advertised.
In our rapidly changing technological world, we need to change the way we think about home security cameras. As we must have learned years ago with social media, what we assume to be private can all too easily become public. With so many examples at hand, it’s time to treat all home security cameras as compromised, if only to preserve our privacy when some inevitably are.
What Wyze did
Wyze Labs shook up the home security market in 2017 when it announced a smart camera that cost just $20. The rest of the industry quickly followed Wyze’s lead, with other ultra-affordable brands, likearising (and in ). By 2020, as CNET the era of the $200 home security camera was over.
Bitdefender notified Wyze of three security vulnerabilities in 2019, one of which would allow hackers to access video files stored on the SD card. Wyze immediately began fixing issues on its other cameras and seemed to imply in a recent blog post that the fix was a direct response to the report. However, Wyze didn’t officially acknowledge receipt of the report until late 2020, more than a year and a half after Bitdefender sent it.
Wyze continued to work with Bitdefender until 2022, but found that it could not patch the Wyze Cam v1 due to the device’s limited memory. As a result, the company has launched end-of-life procedures for the camera, alerting users via email to its failure to provide a necessary security update to the device. Wyze didn’t completely block the camera, but the company advised customers to stop using it and announced that it would no longer receive updates.
It’s worth pointing out that the Wyze Cam’s vulnerabilities aren’t the worst possible. They do not provide access to credentials, for example, which would allow hackers to compile directories of user information for sale or for use in web-crawling businesses – looking for bank accounts or other high-value accounts where Wyze customers have reused their passwords.
Additionally, hackers would need to gain access to your home network before they can access your Wyze Cam’s SD card through this vulnerability. This likely means that very few Wyze clients were hacked, as this would require a very targeted approach.
But the vulnerability is still serious. Many people share networks with roommates, suite partners, and even neighbors. Although such a practice is not recommended, it is quite common. And that means anyone on the network can see video files that should have been better protected.
The bigger problem, however, is broader: Wyze and Bitdefender agreed on an unusually slow timeframe for disclosing the vulnerability – and ultimately it shouldn’t be their decision to decide what customers can find out. completely safe. Wyze might want to hide this information for commercial gain, but Bitdefender should have made it public – or at the very least, given Wyze a stricter deadline to fix or disclose the vulnerability itself.
The bigger picture
Camera hacks happen for several reasons, the main one being that internet-connected cameras are often quite insecure. Web crawlers are designed to search online for smart cameras with common passwords (or none) and post their feeds publicly – and the results are sometimes frightening.
Even if the cameras are not hacked, they can be compromised in other ways. In 2020, ADT revealed that hundreds of customers in Texas had been victimized by a digital voyeur; in this case, an ADT technician who had simply left his own email on each of the accounts in order to freely access the feeds from the cameras he had installed.
Amazon’s security brand, Ring, also came under firefor its partnerships with the police, which, among other things, facilitated the sharing with local authorities of video doorbell footage of constitutionally protected activities, such as protests.
Each of these cases is certainly unique. But each also reminds us that internet-connected cameras are changing the calculus of public and private life. The cameras challenge our presumptions of privacy. Even the password-protected, two-factor authenticated home security camera can be compromised – and unless you’re a network security expert yourself, you’re trusting the developer to have good security practices and be transparent about discovered vulnerabilities, which Wyze has demonstrated is not a given.
Take-out? Of course, get rid of Wyze cameras if you don’t trust them. That’s a perfectly fair answer.
But also, don’t use internet-connected security cameras inside your home in general – or at least not in places you wouldn’t want to make public. The standard we adopt for social media – that everything we post should be considered public – should be extended at this point to home security cameras: wherever we point them, whatever they capture, could eventually be released where they should be. not to be.