Wyze's poor response to security vulnerabilities

Given the lack of a good API for Wyze there are probably not many users here that have Wyze devices.

For those who do or those who are tempted by their very cheap price it’s worth noting their response when a very severe authentication bypass vulnerability was discovered. The tl;dr is it took them three years to fix it for some of their cameras (the original Wyze Cam will not be fixed, these should be considered abandoned). And even now they’ve never really disclosed to their users directly the nature and severity of the vulnerability.

For a company that sells home security services, this is really disappointing.

If you have any Wyze devices, especially a Wyze Cam V1, do not expose them to the internet. Consider replacing your Wyze Cam V1s.

2 Likes

I read that article on The Verge last week and found the response by Bitdefender interesting. Doesn’t strike me as fully honest about what happened, but I guess we’ll never know.

Bitdefender was stuck between a rock and a hard place. Releasing their report, even redacted, would have been enough to cause hackers to start looking and they would easily uncover it on their own and start exploiting it. So they would have been condemned for publishing before Wyze had a fix. But Wyze then screwed them over by taking their sweet time to address the problem. They were going to look like the bad guys no matter what.

They don’t get a full pass (from me) but I do understand how they were put into a hard position. I like Google’s Project Zero policy better. The vendor gets 90 days and then they publish. Better have it fixed before then. But waiting more than a year and an half before even replying to Bitdefender is completely unreasonable. They should have published after not hearing back from Wyze after a reasonable amount of time and let the chips fall where they may.

That’s how I feel, too. Good intentions, but they failed to put pressure on Wyze when that’s what needed to happen.