Wyze Says Camera Breach Let 13,000 Customers Briefly See Into Other People's Homes

An anonymous reader shares a report: Wyze's problems with letting its security camera customers briefly see into other customer homes is a lot worse than we thought. Last week, co-founder David Crosby said that "so far" the company had identified 14 people who were able to briefly see into a stranger's property because they were shown an image from someone else's Wyze camera. Now we're being told that number of affected customers has ballooned to 13,000.

The revelation came from an email sent to customers entitled "An Important Security Message from Wyze," in which the company copped to the breach and apologized, while also attempting to lay some of the blame on its web hosting provider AWS. [...] The breach, however, occurred as Wyze was attempting to bring its cameras back online. Customers were reporting seeing mysterious images and video footage in their own Events tab. Wyze disabled access to the tab and launched its own investigation.

Blame third-party caching library :o

[Mirnotoriety]

“The outage originated from our partner AWS [theverge.com] and took down Wyze devices for several hours early Friday morning. If you tried to view live cameras or Events during that time, you likely weren’t able to. We’re very sorry for the frustration and confusion this caused.”

“This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.”

Blame the whole cloud scam

[fyngyrz]

Live by the cloud, die by the cloud.

Some pro advice:

If you want security cameras, that requires wired cameras attached to a dedicated, securely located multichannel recorder whose incoming feeds and monitoring hardware are isolated from the Internet and solidity backed up by a hefty UPS. If you require offsite backup, do it indirectly by archiving feeds you encrypt first. For your security and the security of all the innocents who inevitably end up on camera.

For intrusion detection, use dedicated hardware and expose only the "intrusion detected" signal(s) on the Internet. Don't use video triggers. Or at least, if you feel you must use video triggers (doubtful at best), only expose the "intrusion detected" flag(s) to the Internet.

When you make video accessible over the Internet, gated or not, that's the opposite of security.

If you just want to pretend, by all means, go ahead and get "security" cameras where some third party has its invasive little fingers all over your video. I'm sure it'll be fine. /s

Re:

[Bert64]

The prevalence of NAT causes almost all consumer cameras to be cloud based, otherwise users have no other way to reach them.

Re:

[fyngyrz]

The prevalence of NAT causes almost all consumer cameras to be cloud based, otherwise users have no other way to reach them.

Nonsense. [amazon.com] Unless by "consumer cameras" you mean webcams, which are definitively not security cameras, regardless of the associated marketing drivel.

Re:

[Bert64]

The systems you link to have local storage sure, but remote access to them (especially using the official mobile app) is through a cloud service - often some server in china where it's not even clear who operates the server or how long it will remain online for.

You often can't turn this off, and have to block it at the firewall.

For some (but by no means all) of these devices there might be a regular web interface too, or an RTSP port if you're lucky.

These systems are even worse - you still have the loss of

AWS?

[schneidafunk]

I'm curious how they're justifying AWS is somewhat to blame, and potentially opening themselves up to a lawsuit.

It goes without saying ....

[timholman]

Cloud cameras can be useful, but it's a mistake to use them indoors, or in any sensitive area. For interior views I use cameras that record to my own internal system, firewalled from the Internet.

I do have a couple of Wyze Cams to provide some overview images outside. They are cheap and handy for that purpose. I was one of the affected customers, and got the email from Wyze. I doubt that a view of my front yard or my parked car had much effect on my privacy.

Re:

[Opportunist]

Cloud cameras can be incredibly useful.

Of course only if the people you want to spy on have them, not you. Duh.

Re:

[Terwin]

We have a 'puppy cam' that we deploy when away on trips, but that is the only time we have a network enabled camera pointing inside our house.
Anything seen by a network connected camera can just be assumed to be visible to interested 3rd parties if it has power.
(Currently the puppy-cam is sitting in a box on a shelf in the closet with no power, because we are home and like our privacy)

Re:

[echo123]

Many Wyze cameras, especially older ones, can run alternate Linux firmware that let you do whatever you want.

Here is an open-source firmware option [github.com] with RTSP support.

Re:

[AmiMoJo]

Anyone with a Wyze camera in the EU or UK should submit a Subject Access Request (SAR) to find out if they were affected. If they were, they can then claim compensation for the massive intrusion of their privacy. Allowing random people to see into your home is a serious GDPR violation.

Re:

[kriston]

If you read the announcement you'd know that they contacted the affected customers.

Re:

[Ksevio]

I have one aimed at my compost pile to see if any interesting wildlife comes by. It's not super reliable, but it stores a lot on an SD card. I guess someone might have been able to see my old food scraps

I swapped to a Reolink connected locally for other ones.

We need to say "no"

[bradley13]

Hooking cameras up to your own NAS is pretty easy for any techie. Why wouldn't you do this? Granted, nontechnical folk have more of a problem, but we, at lead last, should just say "no" to all if our data flowing into the cloud. Even without data breaches, you have no idea who can access your data. Even outside cameras contain sensitive into, for example, telling you when the owners have left the house.

Re:

[olmsfam]

I got gifted a cheap Wyze camera for one Christmas. they are cheap, and people are lazy. I looked into Wyze and i was like these guys are going to be hacked SO MANY TIMES. SO:

Just for giggles I placed it directly above my toilet, pointed directly at my dick every time i pee. I often think about how many people may have had to see my dick.

Re:

[Pascoea]

Just for giggles I placed it directly above my toilet, pointed directly at my dick every time i pee. I often think about how many people may have had to see my dick.

I didn't realize they sold them with macro lenses.

Re:

[Ksevio]

Basically because they're really cheap and "work" out of the box. It IS possible to reflash the Wyze cams with new firmware and you can use a wyze-bridge software running on a server to fix some of the connectivity issues if you connect it to a local service, but it's a bit of a pain to get setup.

Re:

[bill_mcgonigle]

You can install openmiko firmware on some Wyze cameras.

No doubt patches would be welcome for newer SoC's.

But there doesn't seem to be quite enough community interest in an open community-built firmware for cameras yet.

There's one freemium offering that seems too difficult and trust-requiring for broad adoption.

Re:

[echo123]

You can install openmiko firmware on some Wyze cameras.

Here is another open-source firmware option [github.com] with RTSP support.

Re:

[AmiMoJo]

Because then you can't access them away from home. People want to be able to see what is happening at home when they are away.

Okay, it's possible to set up, but not easy, and certainly beyond what most consumers can do. Even for someone with know-how, in these days of CGNAT you can't just open up a port and expect it to work. Even getting a VPN into your network requires a third party to mediate, i.e. a cloud service.

Should Have No Expectation of Privacy

[BrendaEM]

What did they think--that the would going to install someone else's cameras into their home--and have privacy?

Wyze might have something if encrypted.

[shubus]

But none of these cameras have ever thought about encryption. It at least would give some legitimacy to these type of devices. Meanwhile, all these internet cameras are a security nightmare and likely being monitored in China. If you care anything about your privacy don't use Internet connected cameras. THE END.