cross-posted from: https://lemm.ee/post/8552498
After six years of reviewing a variety of Wyze security cameras at Wirecutter, we’ve made the decision to suspend our recommendation of them from all our guides.
On September 8, 2023, The Verge reported an incident in which some Wyze customers were able to access live video from other users’ cameras through the Wyze web portal. We reached out to Wyze for details, and a representative characterized the incident as small in scope, saying they “believe no more than 10 users were affected.” Other than a post to its user-to-user online forum, Wyze Communities, and communication to those it says were affected, the company has not reached out to Wyze customers, nor has it provided meaningful details about the incident.
We believe Wyze is acting irresponsibly to its customers. As such, we’ve made the difficult but unavoidable decision to revoke our recommendation of all Wyze cameras until the company implements meaningful changes to its security and privacy procedures.
The concern is not that Wyze had a security incident—just about every company or organization in the world will probably have to deal with some sort of security trip-up, as we have seen with big banks, the US military, Las Vegas casinos, schools, and even Chick-fil-a. The greater issue is how this company responds to a crisis. With this incident, and others in the past, it’s clear Wyze has failed to develop the sorts of robust procedures that adequately protect its customers the way they deserve.
We spoke about this incident to peers, colleagues, and experts in the field, such as Ari Lightman, professor of digital media and marketing at Carnegie Mellon University; Jen Caltrider, program director at Mozilla’s Privacy Not Included; and Wirecutter senior staff writer Max Eddy. All of them agree the central issue is that Wyze has not proactively reached out to all its customers, nor has it been adequately accountable for its failures. “When these sort of things happen, [the company has to be] very open and transparent with [the] community as to why they screwed up,” Lightman explained. “Then the company has to say, ‘Here’s exactly what we’re going to be doing to rectify any potential situation in the future.’”
If this were the first such incident, we might be less concerned. However, it comes on the heels of a March 2022 Bitdefender study (PDF), which showed that Wyze took nearly three years to fully address specific security vulnerabilities that affected all three models of Wyze Cams. The company did eventually alert customers of the issue, and it notably guided them to stop using the first-generation Wyze Cam because “continued use of the WyzeCam after February 1, 2022 carries increased risk, is discouraged by Wyze, and is entirely at your own risk”—but that was long after the serious vulnerability was first discovered and reported to Wyze, on multiple occasions, without getting a response.
The fundamental relationship between smart-home companies and their customers is founded on trust. No company can guarantee safety and security 100% of the time, but customers need to be confident that those who make and sell these products, especially security devices, are worthy of their trust. Wyze’s inability to meet these basic standards puts its customers and its devices at risk, and also casts doubt on the smart-home industry as a whole.
In order for us to consider recommending Wyze’s cameras again, the company needs to devise and implement more rigorous policies, as most of its competitors already have. They need to be proactive, accountable, and transparent. Here’s what we expect from Wyze in the event of a security incident:
- Reach out to customers as soon as possible: Send an email to all customers, send push notifications in the app, put out a press release, broadcast in the Wyze Communities online forum.
- Describe the issue in detail and state precisely who was affected (and who wasn’t).
- Explain specifically what steps are being taken to aid affected customers and what if any actions the customer needs to take on their own.
- Follow-up with customers to let them know the issue has been resolved.
For anyone who has Wyze cameras and intends to continue using them, we recommend restricting their use to noncritical spaces or activities, such as outdoor locations. If you are looking for an alternative, better camera options are available—even for smart-home users on a budget.
This isn’t the first time Wirecutter has pulled a smart-home device due to concerns over accountability. In 2019, in response to a data breach at Ring, we retracted our endorsement of all of the company’s cameras. We eventually returned to reviewing Ring gear, and in some cases recommended them to our readers, after the company made a series of significant improvements to its programs and policies.
We continue to recommend Wyze lighting, since we consider them lower-risk, lower-impact devices—a security breach of a light bulb, for instance, wouldn’t give someone a view of your living room. Should Wyze change course and adopt more substantial policies like those above, we will be happy to resume testing and considering them for recommendation.
Didn’t Anker/eufy have pretty much the same issue a.couple years ago?
They did. I think it was a regional database key collision problem. People n North America would see cameras in Australia and vice versa. But I could be wrong.
I mean, it was uploading the feed while advertising it was local only, so a tad worse than that.
The thumbnails were going to AWS in order to serve notifications. Which happened to be full sized screenshots. Videos weren’t uploaded to the cloud.
The key collision could let you stream another accounts video but they had to be using the web interface at the same time as you.
For a local only system advertised as local only, which should have 0 interaction with AWS or the internet because those are not local.
You didn’t respond to anything I said but okay.
I mean, I did, you were saying how it worked online and I pointed out it’s mean to be a local only system, which means it isn’t allowed to be online. How is that not responding to your comment?
In order to view video from the camera, it had to be a Wyze cam v1 (last sold in 2018), the “hacker” would need to know the randomly generated ID of the camera, which they could get if they were connected to the same WiFi as the camera - or try to guess it. With the ID, a “hacker” could access the SD card remotely and download video files. It also allowed them to turn the camera on and off and, on pan-tilt models, move the camera.
Wyze took too long to disclose this (they found out about it in 2019 and didn’t disclose it for 18 months). Nobody knows if this flaw was ever taken advantage of. They tried to patch the hardware but weren’t able to do so. Wyze said they issued a patch within 1 month of learning about the flaw, but I haven’t determined exactly what was patched. They also noted in Feb of 2022 they couldn’t patch the hardware fully, and retiring the v1 cameras was the only option to resolve the issue.
What are good cameras to use for self hosting this stuff? I have a NAS and would have no problem opening a port to allow access from outside the home but most of these companies just want to sell you cheap cameras that you really don’t have full access to.
As others have suggested, Amcrest and Reolink cameras are good for self-hosters. I like my Reolink PoE-powered cameras, and they pair well with my Frigate server running on a Raspberry Pi.
The Hook Up does decent, and frequent, review videos you might find useful.
Any general reason to choose one over the other? I see Amcrest is an American company, so I’ll probably default to that. I plan on PoE only (no Wi-Fi, cameras behind a DMZ) and appreciate object detection, but I can probably just use something like Frigate. I don’t really need anything other than weather resistance.
I want to set something up to record everything for 24 hours (maybe 48 hours, depending on the size), and then keep interesting clips for weeks. I can set up a VPN, so I don’t need any cloud services.
I’ll check out that channel, thanks!
Based on the Hook Up’s reviews, I could’ve gone with either one for my needs.
I went with Reolink on price in the end. I’m in Australia and, at the time, they were a little cheaper here.
Forget about a camera, setup a local server to read the camera’s data and have that server send data to the internet. There are open source servers you can use, though I have not tested any so I won’t recommend one. Then have your firewall block the camera from the internet completely (you can open a hole to apply an update if you think an update would be helpful, just close it when the update is done).
The PineCube might be a useful camera for this, but AFAIK nobody has really written software for it. still it might be an option if you want to go through a lot of work.
Reolink camera are good quality and you can configure them quite a lot. As far as I know, they don’t connect to a remote cloud so they should not have such vulnerabilities
I’m using reolink b800 PoE, with the neolink wrapper on a vm feeding frigate. They’ve been 100% perfect for 6 months
Alternatively, set up a VPN into your home and only allow cam access via local network 🙂
As far as network cams are concerned, it’s a pita to find a good one that is also not expensive.
Feel free to correct me, anyone, because I do want a better solution than buying a cheap one and just blocking it from all WAN access in or out.
If you’re in Apple’s ecosystem, get a camera that supports Home Secure Video, set the camera up through HomeKit, and never use the manufacturer’s crappy app.
The event triggers are not super great, and the resolution tops out at 1080p (while others are doing 4K,) but it is pretty damn secure.
Reolink with Frigate has been so nice
I’ve got a couple of Amcrest cameras, which hook into a Home Assistant/Frigate/Double Take/CompreFace stack right now and it works really well to see my cameras offsite (HA). Add in the fact that I’ve got an NVR for looking over recent footage (Frigate) and facial recognition (still in training, just setup Double Take and CompreFace a few weeks ago) which can be configured to alert (HA) my phone, its a pretty sweet setup!
Hey if you have any wyze cams I highly suggest you check out this firmware https://github.com/gtxaspec/wz_mini_hacks
I’ve use these firmwares. They’re nice for getting rstp, network storage and shell access. However afaik, they don’t block the cloud streaming and theoretically unauthorized access through the app. I’ve been looking for a way to only allow LAN access through the app and it works for a time. Access through VPN has been a challenge though.
See here: https://github.com/gtxaspec/wz_mini_hacks/wiki/Configuration-File#self-hosted--isolated-mode
It also supports wireguard on the cameras which is crazy cool. The only issue I’m having is with the utronics Ethernet adapter I got. Works on any computer but the cameras won’t even see it as a usb device.
Thanks! Self hosted mode is exactly what I wanted. I looked into Frigate and this might completely replace the cloud app for me.