“So violated”: Wyze cameras leak footage to strangers for 2nd time in 5 months

Photo of author

By Sedoso Feb


“So violated”: Wyze cameras leak footage to strangers for 2nd time in 5 months
Enlarge / Wyze’s Cam V3 Pro indoor/outdoor smart camera.
Wyze

Wyze cameras experienced a glitch on Friday that gave 13,000 customers access to images and, in some cases, video, from Wyze cameras that didn’t belong to them. The company claims 99.75 percent of accounts weren’t affected, but for some, that revelation doesn’t eradicate feelings of “disgust” and concern.

Wyze claims that an outage on Friday left customers unable to view camera footage for hours. Wyze has blamed the outage on a problem with an undisclosed Amazon Web Services (AWS) partner but hasn’t provided details.

Monday morning, Wyze sent emails to customers, including those Wyze says weren’t affected, informing them that the outage led to 13,000 people being able to access data from strangers’ cameras, as reported by The Verge.

Per Wyze’s email:

We can now confirm that as cameras were coming back online, about 13,000 Wyze users received thumbnails from cameras that were not their own and 1,504 users tapped on them. Most taps enlarged the thumbnail, but in some cases an Event Video was able to be viewed. …

According to Wyze, while it was trying to bring cameras back online from Friday’s outage, users reported seeing thumbnails and Event Videos that weren’t from their own cameras. Wyze’s emails added:

The incident was caused by a third-party caching client library that was recently integrated into our system. This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.

In response to customers reporting that they were viewing images from strangers’ cameras, Wyze said it blocked customers from using the Events tab, then made an additional verification layer required to access the Wyze app’s Event Video section. Wyze co-founder and CMO David Crosby also said Wyze logged out people who had used the Wyze app on Friday in order to reset tokens.

Wyze’s emails also said the company modified its system “to bypass caching for checks on user-device relationships until [it identifies] new client libraries that are thoroughly stress tested for extreme events” like the one that occurred on Friday.

Frustrated customers

This is the second time that something like this has happened to Wyze customers in five months. In September, some Wyze users reported seeing feeds of cameras that they didn’t own via Wyze’s online viewer. Wyze claimed that for 40 minutes, as many as 2,300 people who were logged in to the online viewer may have been able to see 10 strangers’ feeds. The company blamed this on a “web caching issue” and said that it deployed “numerous technical measures” to prevent the problem from repeating, including limiting account permissions, updating company policies and employee training, and hiring an external security firm for penetration testing.

In 2022, security firm Bitdefender disclosed security vulnerabilities with Wyze cameras that could allow people to access feeds from cameras they didn’t own and the contents of strangers’ camera SD cards. The vulnerability required the hacker to have been on the same network as the hacked device at some point; however, long-time users still disowned Wyze for not acting on this information or making the information public for years. In March, Wyze settled [PDF] a proposed class action regarding the vulnerabilities; terms weren’t disclosed.

This all gives customers even more reason to be upset about the latest incident. Some Wyze users remain perturbed by the budget smart camera company’s announcement. As a user going by FlyPenFly said on the WyzeCam subreddit:

I hope you have some heads rolling because the already damaged brand is now practically worthless. I’ve been with you guys from the start but I’m just shocked at the level of hubris and incompetence from a company trying to compete in this crowded space. The savings aren’t worth the squeeze here.

Understandably, users who were affected seem disturbed by the news. For example, a Reddit user going by H3H3ather wrote:

I’m so disgusted and upset. I’ve already deleted my account, but I’m feeling so violated.

For its part, Wyze has been quicker to alert customers this time than it has been in the past. It offered customers an apology via email, saying, in part:

We know this is very disappointing news. It does not reflect our commitment to protect customers or mirror the other investments and actions we have taken in recent years to make security a top priority at Wyze. We built a security team, implemented multiple processes, created new dashboards, maintained a bug bounty program, and were undergoing multiple [third-]party audits and penetration testing when this event occurred.

Wyze’s story is another painful reminder of the inherent risks in putting Internet-connected video cameras in sensitive parts of the home, especially inside. Wyze tried placing some technical blame on an AWS partner, but that’s not comforting considering that Wyze is the one that chose that partner and is responsible for ensuring its tech is implemented properly (AWS didn’t report an outage at the time of Wyze’s camera outage). At a minimum, this incident can be a reminder that you should research the companies behind smart products when considering a security system for any alarming security breaches, flaws, glitches, and checkered pasts that you’d rather not experience personally.

Wyze didn’t respond to Ars Technica’s request for comment.

Source

Leave a Comment