When Wyze announced in late January that it would discontinue the original Wyze Cam only days later, it couched the move as a celebration, going so far as to say that the camera “will always hold a special place in our hearts.”
But even as Wyze promised that “you can still use your Wyze Cam v1” following its impending February 1 end-of-life date, the company added ominously–and only in a footnote–that “your continued use of the Wyze Cam v1 after February 1, 2022 carries increased risk, is discouraged by Wyze and is entirely at your own risk.”
At the time, something sounded a little, well, off about Wyze’s sudden announcement. Now, it appears we know why.
Earlier this week, cybersecurity firm Bitdefender revealed (as first reported by BleepingComputer) that it had previously–as in three years ago–discovered a trio of serious Wyze Cam vulnerabilities, one of which would have allowed attackers to access the data on the camera’s SD card, including recorded video footage.
Bitdefender says it initially warned Wyze about the flaws in March 2019. The first two bugs were patched in September 2019 and November 2020, but the SD card flaw remained unpatched until January 29, 2022, and only the Wyze Cam v2 and v3 got the fix, leaving the original Wyze Cam vulnerable to the security hole.
When announcing that it was “retiring” the Wyze Cam v1, Wyze said it was because the camera “can no longer support a necessary security update.” Looking back, it sure sounds like the update Wyze was referring to was the SD card vulnerability patch that the Wyze Cam v2 and v3 received.
I have yet to hear back from Wyze about the Bitdefender report, but in a statement to BleepingComputer, a Wyze rep said:
At Wyze, we put immense value in our users’ trust in us, and take all security concerns seriously.
We are constantly evaluating the security of our systems and take appropriate measures to protect our customers’ privacy. We appreciated the responsible disclosure provided by Bitdefender on these vulnerabilities. We worked with Bitdefender and patched the security issues in our supported products. These updates are already deployed in our latest app and firmware updates.
That’s all well and good, but it doesn’t answer the question of why Wyze didn’t simply explain the SD card vulnerability in the original, unpatched Wyze Cam and explicitly warn users of the risks.
A wise woman in the technology sector once told me, “We don’t sell toothpaste; we sell trust.” Well, Wyze is now facing a serious credibility gap, and it needs to come clean. An apology is probably in order, too.
Update: Wyze sent me a link to its official response on the evening after this story was originally published. The full text is included below.
At Wyze, we put immense value in our users’ trust in us, and take all security concerns seriously.
We are constantly evaluating the security of our systems and taking appropriate measures to protect our customers’ privacy. We appreciated the responsible disclosure provided by Bitdefender on these vulnerabilities, and worked directly with them to patch the security issues in our supported products before the public report.
We first would like to let our users know that these vulnerabilities required some form of local network access. So, you would have had to expose your local network to either the bad actor directly or the Internet at large for these vulnerabilities to be exploitable remotely (rest assured you shouldn’t and likely don’t have a setup like this).
As Bitdefender reported in their timeline, we issued the first patch in the month following our notification, and over time we continued to mitigate the risk of these exploits with additional patches in the months that followed. We have fixed these issues and no longer consider this ongoing after the release of the final critical security updates for the last of the local vulnerabilities found in the report in February 2022. Though we kicked off development quickly, we want to respond quicker in the future and have made significant advances in our security infrastructure, including hiring a team of dedicated security engineers to work exclusively on responses to security events and strengthening protection for our users.
You might be wondering, “Why am I just hearing about this now?” Bitdefender and Wyze both take the safety of affected users seriously. Knowing that we were actively working on risk mitigation and corrective updates, we came to the conclusion together that it was safest to be prudent about the details until the vulnerabilities were fixed.
Unfortunately, despite extensive efforts stretching into 2022, we found Wyze Cam v1 (last sold in March 2018) couldn’t support the necessary security updates. The limited camera memory that prompted us to create Wyze Cam v2 directly prevented patching these issues on that product. We were transparent with our customers and disclosed our inability to continue to offer necessary security updates in an email announcing the end-of-life (EOL) for this product. For security reasons, we again chose to remain prudent about the specific reason why until now to limit the risk to all of our affected users across affected models. We strongly suggest that our customers no longer use EOL products as security and other critical updates are no longer provided, and we continue to urge Wyze Cam v1 owners to discontinue the use of these products.
Selecting technology to protect your home and your loved ones is a big decision. Our journey to make great tech accessible to everyone continues, and we are committed to providing an experience that is reliable and secure for everyone.
If anyone has questions or concerns about Wyze security, please email our security team directly through security@wyze.com.
Updated on April 4, 2022 to add an official response from Wyze.