this post was submitted on 19 Sep 2023
679 points (98.0% liked)

Technology

59533 readers
3545 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

After six years of reviewing a variety of Wyze security cameras at Wirecutter, we’ve made the decision to suspend our recommendation of them from all our guides.

On September 8, 2023, The Verge reported an incident in which some Wyze customers were able to access live video from other users’ cameras through the Wyze web portal. We reached out to Wyze for details, and a representative characterized the incident as small in scope, saying they “believe no more than 10 users were affected.” Other than a post to its user-to-user online forum, Wyze Communities, and communication to those it says were affected, the company has not reached out to Wyze customers, nor has it provided meaningful details about the incident.

We believe Wyze is acting irresponsibly to its customers. As such, we've made the difficult but unavoidable decision to revoke our recommendation of all Wyze cameras until the company implements meaningful changes to its security and privacy procedures.

The concern is not that Wyze had a security incident—just about every company or organization in the world will probably have to deal with some sort of security trip-up, as we have seen with big banks, the US military, Las Vegas casinos, schools, and even Chick-fil-a. The greater issue is how this company responds to a crisis. With this incident, and others in the past, it’s clear Wyze has failed to develop the sorts of robust procedures that adequately protect its customers the way they deserve.

We spoke about this incident to peers, colleagues, and experts in the field, such as Ari Lightman, professor of digital media and marketing at Carnegie Mellon University; Jen Caltrider, program director at Mozilla’s Privacy Not Included; and Wirecutter senior staff writer Max Eddy. All of them agree the central issue is that Wyze has not proactively reached out to all its customers, nor has it been adequately accountable for its failures. “When these sort of things happen, [the company has to be] very open and transparent with [the] community as to why they screwed up,” Lightman explained. “Then the company has to say, ‘Here’s exactly what we’re going to be doing to rectify any potential situation in the future.’”

If this were the first such incident, we might be less concerned. However, it comes on the heels of a March 2022 Bitdefender study (PDF), which showed that Wyze took nearly three years to fully address specific security vulnerabilities that affected all three models of Wyze Cams. The company did eventually alert customers of the issue, and it notably guided them to stop using the first-generation Wyze Cam because “continued use of the WyzeCam after February 1, 2022 carries increased risk, is discouraged by Wyze, and is entirely at your own risk”—but that was long after the serious vulnerability was first discovered and reported to Wyze, on multiple occasions, without getting a response.

The fundamental relationship between smart-home companies and their customers is founded on trust. No company can guarantee safety and security 100% of the time, but customers need to be confident that those who make and sell these products, especially security devices, are worthy of their trust. Wyze’s inability to meet these basic standards puts its customers and its devices at risk, and also casts doubt on the smart-home industry as a whole.

In order for us to consider recommending Wyze’s cameras again, the company needs to devise and implement more rigorous policies, as most of its competitors already have. They need to be proactive, accountable, and transparent. Here’s what we expect from Wyze in the event of a security incident:

  • Reach out to customers as soon as possible: Send an email to all customers, send push notifications in the app, put out a press release, broadcast in the Wyze Communities online forum.
  • Describe the issue in detail and state precisely who was affected (and who wasn’t).
  • Explain specifically what steps are being taken to aid affected customers and what if any actions the customer needs to take on their own.
  • Follow-up with customers to let them know the issue has been resolved.

For anyone who has Wyze cameras and intends to continue using them, we recommend restricting their use to noncritical spaces or activities, such as outdoor locations. If you are looking for an alternative, better camera options are available—even for smart-home users on a budget.

This isn’t the first time Wirecutter has pulled a smart-home device due to concerns over accountability. In 2019, in response to a data breach at Ring, we retracted our endorsement of all of the company’s cameras. We eventually returned to reviewing Ring gear, and in some cases recommended them to our readers, after the company made a series of significant improvements to its programs and policies.

We continue to recommend Wyze lighting, since we consider them lower-risk, lower-impact devices—a security breach of a light bulb, for instance, wouldn’t give someone a view of your living room. Should Wyze change course and adopt more substantial policies like those above, we will be happy to resume testing and considering them for recommendation.

you are viewing a single comment's thread
view the rest of the comments
[–] NevermindNoMind@lemmy.world 214 points 1 year ago (6 children)

We continue to recommend Wyze lighting, since we consider them lower-risk, lower-impact devices—a security breach of a light bulb, for instance, wouldn’t give someone a view of your living room.

Call me paranoid, but I don't want a company I don't trust plugged into my network at all.

[–] Nesola@lemmy.world 83 points 1 year ago (1 children)

I don’t consider this „paranoid“ at all.

[–] A_Random_Idiot@lemmy.world 14 points 1 year ago

sadly there are a lot of people who only care about immediate gratification that would call that paranoid.

[–] krayj@sh.itjust.works 34 points 1 year ago

No, you're not paranoid. I'd call it diligent.

The premise of the statement you quoted is faulty to the core. A device internal to your home network knows a lot about the design of your home network and it knows a lot about the other devices on your network, and it can be used to facilitate/relay malicious access to your other devices if it becomes compromised.

Wyze has always struggled with security problems...and I'll admit that I do have several wyze cameras...but long ago decided their security was not trustworthy and created an entirely new virtual lan to run just my IOT stuff from. That, at least, reduces the exposure for some of their security issues. I certainly would never have interior cameras built by wyze - that's too risky even with robust network security on my side of it.

[–] SatyrSack@lemmy.one 14 points 1 year ago* (last edited 1 year ago) (3 children)

They'll be able to flash Morse code at you

`-... . / ... ..- .-. . / -


/ -.. .-. .. -. -.- / -.--


..- .-. /


...- .- .-.. - .. -. .`

[–] SkaveRat@discuss.tchncs.de 26 points 1 year ago (2 children)

you laugh, but you can exfiltrate data out of airgapped systems by flashing lights

[–] ChunkMcHorkle@lemmy.world 16 points 1 year ago

He wasn't laughing, he was overcome with a sudden craving for Ovaltine. He'll be with you in a moment.

[–] socsa@lemmy.ml 2 points 1 year ago

And playing music!

[–] kescusay@lemmy.world 9 points 1 year ago* (last edited 1 year ago)

~~I tried translating that, but Lemmy formatting has borked it. The first three words are "BE SURE TO" but the rest is not translatable.~~

Never mind, I got it. And yes, I drink it every day. :)

[–] elscallr@lemmy.world 2 points 1 year ago

They could also exfiltrate your information from inside your network and turn into ping flooding zombies

[–] Rediphile@lemmy.ca 8 points 1 year ago (3 children)

Me neither. But building an entirely off-site video monitoring server is a bit over my head. So I just use cameras like this when I'm not home.

[–] Chickenstalker@lemmy.world 16 points 1 year ago (1 children)

Any security system hosted in the cloud is inherently unsecure or at the very least a privacy nightmare. Invest in being friendly with neighbours.

[–] gamer@lemm.ee 4 points 1 year ago (1 children)

Switch to Unifi. It's enterprise-grade hardware and high quality software at consumer prices. If you know networking, you can set them up without connecting them to the internet while still being able to access them outside your network. If not, you can just use their free web portal to access your cameras. It's probably easier than Wyze, and it's certainly more secure.

I don't normally like to shill brands on the internet, but for these people I make an exception.

[–] olympicyes@lemmy.world 1 points 1 year ago (1 children)

I also use Unifi but it’s worth mentioning that Unifi Protect (current offering) requires an online Unifi account and a Unifi DVR, whereas the older Unifi Video required a local account and could be run on your own hardware. I like that my videos are not stored in the cloud, but I don’t know enough about how Unifi handles security to confirm that they couldn’t allow another user to stream video off your hardware directly. I’m not too concerned about the risk because I just use these for my front yard and it’s pretty convenient.

[–] gamer@lemm.ee 2 points 1 year ago (1 children)

Are you sure? I currently have an online account (because it was easier to give other people access and I too only have these watching my yard), but I remember when I first set it up in my home I was using a local account created in the DVR's portal (a Cloudkey Gen 2). The web portal is hosted on the cloudkey, you can access it via any web browser, and the cameras will record to it without an internet connection.

I could've sworn you could host the camera server without a Unifi DVR, but apparently not. The network stuff can be though. I guess that's important to keep in mind, although I'd be surprised if they removed the ability to use the DVR without an online account.

[–] olympicyes@lemmy.world 2 points 1 year ago

I know there was an issue a while ago that you couldn’t connect directly to your cameras using iOS via the LAN. It had to go online. I remember now a hastily rolled out patch in response to a data breach. So to answer your question, I’m not 100% sure. I use my cameras like you do but this is an important topic for someone who doesn’t want their system online in any capacity.

Shouldn't be that difficult with open source stuff. I've never felt the need but I'm sure there's some near turn-key stuff you can use with Home Assistant or OpenHAB.

[–] sadreality@kbin.social 6 points 1 year ago* (last edited 1 year ago)

Imagine a world where an adult person who has self respect feels need to coach his reasonable position like this...

People are too willing to place shody spyware in their houses. I don't understand how we got here, I guess cell phones?

[–] Klystron@sh.itjust.works 0 points 1 year ago

Hi paranoid, I'm dad.