Unpatched Wyze Security Camera Exploit Pathetically Left Millions Vulnerable To Spying For Years

Wyze Cam devices are reported to have had a huge security flaw, and the company remained silent for three years about it. The software flaw was found by Bitdefender, and claims it reported the issues to Wyze all the way back in 2019.

Home security devices are meant to make you feel safer in the confines of your home. The thought of being able to check in on your pet while at work, or on your children while out and about, has also given peace of mind to millions. These devices are not, however, meant to be hijacked by attackers who take control over the very cameras that are meant for your eyes only. It seems Wyze had a software flaw that gave hackers the ability to watch you in secret and even access the feed from the SD card of your camera.

The security flaw was first found by Bitdefender in 2019. Bitdefender claims that it contacted Wyze about the issue in March 2019, however, Wyze did not respond until 2020. It then took another two years to discontinue the Wyze Cam V1, stating the camera's inability to support a security update.

In an email to customers, Wyze said, "Your continued use of the Wyze Cam v1 after February 1, 2022, carries increased risk, is discouraged by Wyze, and is entirely at your own risk." Having told customers that, it still failed to disclose the fact that the customer's cameras had the potential for being hacked for the last three years and that the company knew about it.

Bitdefender said "publishing details on the vulnerability in the absence of a patch is problematic when it comes to smart cameras, so Bitdefender waited until the vendor fixed the issue." This may not sit well with customers who were affected by the software flaw either.

Researchers with Bitdefender were able to bypass the authentication process and gain remote connection and seized nearly complete control. "After authentication, we can fully control the device, including motion control (pan/tilt), disabling recording to SD, turning the camera on/off, among others," researchers explained. "We can't view the live audio and video feed, though, because it is encrypted."

Wyze spokesperson, Kyle Christensen, told The Verge that as far as the company was concerned, it had been transparent with its customers and that it has "fully corrected the issue". However, Wyze only fixed the issue for newer versions of the Wyze Cam, and did not send the final patch until January 29th. Therefore, the small amount of information that it passed along is probably little to no comfort to customers. Especially when you take into account how long it took the company to publicly acknowledge there was any type of security risk and the length of time it took to correct it.

Wyze Cams V1, V2 and V3 were all affected by the security risk. The company seems to have fixed the issue with V2 and V3, but if you still own a V1 cam you may want to stop using it immediately, as it does not support the latest firmware update that fixes the security flaw. If you have not yet updated your V2 or V3 cameras, you can go to the company's official portal for the latest firmware (or throw them all in the trash).