Wyze cameras are cheap and surprisingly good at what they do, but security has become a concern of late. In February 2022, a report emerged that cybersecurity firm Bitdefender had notified Wyze about a vulnerability in its cameras that could allow attackers to view a live video feed from unsuspecting users, yet the company was slow to respond,taking nearly three yearsbefore closing the security loophole. Now, it seems Wyze has found itself in a similar situation after an outage this past weekend.
4 tips to keep your smart home cameras from exposing sensitive data
Make sure no one will look in your living room but you
In an email sent out to Wyze users today, the company explains that it suffered an outage on Friday, February 16, when a problem with AWS interrupted service for a few hours (viaThe Verge). As the company worked to quickly restore the ability to view live camera feeds and receive event notifications, there was a period of time when a small percentage of users received event notifications from Wyze cameras that weren’t their own.
Wyze says roughly 13,000 customers received someone else’s event notifications, and of those, 1,504 users interacted with the alerts. In some cases, these users were simply shown a photo of the event’s thumbnail, but in others, the event video was seen. Wyze says 99.75% of customers were unaffected by this security glitch, but those who were have been notified.
We can now confirm that as cameras were coming back online, about 13,000 Wyze users received thumbnails from cameras that were not their own and 1,504 users tapped on them. Most taps enlarged the thumbnail, but in some cases an Event Video was able to be viewed. All affected users have been notified. Your account was not one of the accounts affected.
The incident was caused by a third-party caching client library that was recently integrated into our system. This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.
To make sure this doesn’t happen again, we have added a new layer of verification before users are connected to Event Videos. We have also modified our system to bypass caching for checks on user-device relationships until we identify new client libraries that are thoroughly stress tested for extreme events like we experienced on Friday.
Multiple Android Police staff members received the email this afternoon, but were all among the unaffected user group. The most relevant part of the email is included above, which also outlines the details of the “security incident” and the steps Wyze is taking to prevent recurrence. The company mentions adding a new layer of verification, but this appears to be on the backend, as nothing with the login process on the web or in the Android app appears to have changed for end-users.
While it’s nice to see that Wyze is being transparent about this incident, and it appears the company acted fast to remedy this issue, security problems like this will be a turnoff to prospective customers looking for peace of mind and home security. Thankfully, Wyze isn’t the only low-cost option, and there are plenty ofhome security camerasto choose from these days.
