A few days ago, a security breach happened with Wyze security cameras which let strangers see into your home. I was very concerned because I am one of the users that have a Wyze Camera installed at home specifically the Wyze Cam v3. According to user reports, various users were able to see thumbnails of camera video feeds belonging to cameras that didn’t belong to them.
Wyze has since addressed the security incident that occurred during a service outage last Friday, shedding light on what transpired and the steps being taken to prevent similar occurrences in the future.
What happened
Apparently the outage was originating from partner AWS — a cloud provider owned by Amazon — which led to disrupted Wyze devices for several hours, affecting users’ ability to view live cameras or access Events during that period. In an email that I received, Wyze apologized for the inconvenience caused by this downtime.
However, as cameras came back online, a security issue emerged. Some users reported seeing incorrect thumbnails and Event Videos in their Events tab. Investigation revealed that approximately 13,000 users as opposed to 14 users initially reported by Wyze received thumbnails from cameras not their own, with 1,504 users tapping on them. While most taps only enlarged the thumbnail, some were able to view Event Videos erroneously.
According to Wyze, the root cause was identified as a third-party caching client library, recently integrated into Wyze’s system, which experienced unprecedented load conditions due to devices reconnecting simultaneously. This resulted in a mix-up of device ID and user ID mapping, connecting some data to incorrect accounts.
What has been done
To prevent future incidents, Wyze says they have implemented additional verification layers before users access Event Videos and modified the system to bypass caching for user-device relationship checks until thoroughly stress-tested client libraries are identified.
The company is now beefing up its investment in more security such as establishing a security team, implementing multiple processes, maintaining a bug bounty program, and undergoing third-party audits and penetration testing.
Past security breaches
Wyze response should be taken with a pinch of salt given that this is not the first security lapse that has affected Wyze cameras. For example, in December 2019, it was reported that some Wyze users’ personal information was exposed due to a data leak caused by an unprotected Elasticsearch database. Additionally, in early 2020, researchers discovered vulnerabilities in Wyze camera firmware that could potentially allow attackers to access live video feeds and personal data stored on the devices.
