Wyze Cameras Allow Accidental User Spying
About 13,000 users received camera images and feeds that weren't theirs. This cyber incident takes place only five months after the company experienced a similar issue and failed to be transparent with users about the issues it was facing.
February 20, 2024
Wyze has confirmed in an email to its users that it has experienced a cybersecurity "incident" that allowed many of its connected camera users to see into other people's camera feeds, being able to unwittingly spy on others.
This isn't the first time that Wyze, a Seattle-based company offering smart home products such as cameras and doorbells, has experienced a cybersecurity issue like this. In September 2023, Wyze camera users reported that they were seeing camera feeds that were not theirs. According to Wyze, this issue was the result of a Web caching problem.
Now this issue is occurring once again, but at a seemingly greater scale. Around 13,000 users received thumbnails from cameras that were not theirs, and 1,504 of those users enlarged the image. There were also instances where the thumbnail was attached to a video and the video was viewed.
The User Point of View
At least 10 individuals on Reddit reported that they were seeing images on the Wyze app that did not belong to their household. For one person, the picture was of a stranger's porch. For another, it was someone else's living room. Some were seeing footage from a different time zone altogether.
"One of my cameras notified me of an event from inside someone else home with them in it walking around. Absolutely no security with Wyze whatsoever," read a comment from a Redditor four days ago.
Similar reports occurred on the Wyze forum.
"I understand there are issues going on currently, however I just got a notification for a camera motion alert for a camera I do not own," stated one user. "This seems like a major security flaw and now I am concerned some of my camera notifications are being sent to other Wyze users."
Users were seeing these thumbnails for cameras that weren't their own in the Wyze app's Events tab, according to David Crosby, Wyze co-founder and chief marketing officer. Once reports of the privacy issue began to come in, the Events tab was taken down. A new, extra layer of verification has now been added, Crosby noted, and all users must log out of the Wyze app and reset tokens if they have been active.
"As I mentioned in my other posts, our engineering team has added a new layer of verification between users and event videos to prevent this from happening again," stated "WyzeDave" in a post on the Wyze forum page. "We've also removed the client library and will not be using caching until we can find a new client library and stress test it for extreme scenarios like we saw on Friday."
The Culprit: A Power Outage ... or Not?
After an Amazon Web Services (AWS) outage occurred earlier in the morning, the Wyze servers were overloaded, and this resulted in it corrupting some user data and leading to this particular security issue, according to an email from Crosby obtained by media. However, AWS did not report an outage during the time the Wyze cameras were facing these issues.
"I do want to thank everyone who has helped us with reports and logs to properly identify the issue and the affected users," Crosby wrote in the forum post. "This has been an incredibly stressful weekend for all and we are grateful for your help, and so sorry that this happened."
An investigation is still underway, and though Wyze has seemingly been much more transparent during this cyber incident compared with the last, it's unclear how this will affect user trust, or how the company will prevent something like this from happening again.
About the Author
You May Also Like
The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024Safeguarding GitHub Data to Fuel Web Innovation
Nov 21, 2024