Wyze cam security breach

[Frozen-IceCube]

Summary

 

Story developing in the Wyze community after a camera outage due to AWS. After cameras started coming back online, users are reporting getting access to other users cameras in their event feed. Co founder has acknowledged the potential breach and has taken Events offline.

 

Quotes

Quote

Wyze cofounder posted on reddit saying "Cofounder of Wyze here. As you know we had an outage this morning driven by an issue with our partner AWS. Cameras are starting to come back online for live viewing, but we are now restricting access to the Events tab while we investigate a possible security issue. We’re so sorry and will get your cameras fully recovered as soon as possible! We will also share results of our investigation."

 

My thoughts

This is a breaking story, might be a good WAN show topic as this is now another camera company like Eufy that has had a breach of this type

 

Sources

https://www.reddit.com/r/wyzecam/comments/1ash8py/outage_this_morning_and_investigation_of_security/

https://www.reddit.com/r/wyzecam/comments/1ascmo0/camera_showing_up_that_isnt_mine/

https://support.wyze.com/hc/en-us/articles/360015979872-Service-Status-Known-Issues

 

 

[OhioYJ]

The thread on the Wyze forum, that the Cofounder posted.

 

To think I was just glad that all my Wyze cameras came back online finally.... Ugh.

 

Oh well, luckily I can remotely shut all mine down.

[Frozen-IceCube]

I'm glad all mine are outside but check this one out, someone got a push notification of motion in someone else's living room

 

https://www.reddit.com/r/wyzecam/comments/1asf2ad/i_just_got_a_motion_push_notification_for_someone/

 

[Senzelian]

2 minutes ago, Frozen-IceCube said:

I'm glad all mine are outside but check this one out, someone got a push notification of motion in someone else's living room

 

https://www.reddit.com/r/wyzecam/comments/1asf2ad/i_just_got_a_motion_push_notification_for_someone/

 

Such a genius move by this guy to post a picture of someone else's living room online but also complain about the bug that caused it. 

[Beerzerker]

16 minutes ago, Frozen-IceCube said:

I'm glad all mine are outside but check this one out, someone got a push notification of motion in someone else's living room

 

https://www.reddit.com/r/wyzecam/comments/1asf2ad/i_just_got_a_motion_push_notification_for_someone/

 

I guess it's better than getting a "Push" notice of movement in someone's bedroom.
 

[Lunar River]

Isn't having cameras connected to the Internet controlled entirely by a third party just great?

[OhioYJ]

So hopefully, this was something misconfigured, or  a bug and not an actual security breach. However we'll have to see how this actually shakes out. I'm still watching this, as I have many Wyze cameras at my house, and my family, and the inlaws use them as well.

 

That being said, any inside the house are on smart plugs and actually powered off when we are home. The ones outside, are on smart switches, so we can actually kill power to those as well.

 

Quote

Update and early investigation results: After an AWS outage this morning, our servers got overloaded and it corrupted some user data. We have now identified a security issue where some users were able to see thumbnails of cameras that were not their own in the Events tab. Fortunately, they were not able to view live streams or watch these videos, only the thumbnails were visible.

 

So far we’ve collected 14 reports of this happening, but we are currently identifying all affected users. These affected users will be notified asap. We will also send notification to all Wyze users explaining what happened.

 

As soon as we saw these reports we took down the Events tab. We then added in an extra layer of verification for each user before they could see thumbnails. To be extra safe, we are now force logging out all users who have used the Wyze app today to reset tokens.

 

We will explain in more detail once we finish investigating exactly how this happened and further steps we will take to make sure it doesn’t happen again. Again, we are very sorry for the inconvenience today. Thanks to everyone who helped report incidents and helped get devices back online. Our deepest apologies to everyone affected.

 

[Quackers101]

13 hours ago, OhioYJ said:

Oh well, luckily I can remotely shut all mine down.

double remote shut-off, device and power. I mean having a good remote solution could be fun, whatever the plans for big companies and IoT devices will be like in maybe less secure ways.

[jagdtigger]

Wouldnt it be nice if we had a solution that doesnt require a 3rd party having access to the cameras?

Oh wait, we do........ (Synology, Frigate, ZoneMinder, etc)

[Fasterthannothing]

Wyze has had insane numbers of security breaches however even Unifi which is a pretty self hosted system had the same thing happen. I don't understand how this even happens seems pretty basic to make sure that the camera is only connected to the person who set it up using unique keys.

[darknessblade]

This is yet another reason why you shouldn't use cloudbased devices for smarthome/home security

[OhioYJ]

<-- Wyze User. So not saying this issue, isn't serious, it sucks... However, I will give them some credit for being fairly open, and fourth coming with information, at least compared to many companies.  Many just go radio silent after something like this.

 

Official Forum Post for the Security Issue <-- This post has the emails sent out directly below the update that I'm quoting below.

 

Quote

We have sent emails out to all affected and unaffected Wyze users from the security issue that occurred on 2/16/24.

 

The first email went to all unaffected users.

 

The second email went to users whose event thumbnails were made available to others but not tapped on.

 

The third email went out to users whose event thumbnails were made available to others and were tapped on.

 

The fourth email went out to users who had thumbnails made available to them that were not their own, but their thumbnails were not made available to others.

 

The following posts contain copies of these emails.

 

[LRossi]

Just received the email below from Wyze. Not the first time this issue happens with Wyze, by the way...

 

"(...)in some cases an Even Video was able to be viewed."

 

I hope no one got caught walking around naked... Easiest lawsuit win ever.

 

Quote

 

Wyze Friends,

On Friday morning, we had a service outage that led to a security incident. Your account and over 99.75% of all Wyze accounts were not affected by the security event, but we wanted to make you aware of the incident and let you know what we are doing to make sure it doesn't happen again.

 

The outage originated from our partner AWS and took down Wyze devices for several hours early Friday morning. If you tried to view live cameras or Events during that time, you likely weren’t able to. We’re very sorry for the frustration and confusion this caused.

 

As we worked to bring cameras back online, we experienced a security issue. Some users reported seeing the wrong thumbnails and Event Videos in their Events tab. We immediately removed access to the Events tab and started an investigation.

 

We can now confirm that as cameras were coming back online, about 13,000 Wyze users received thumbnails from cameras that were not their own and 1,504 users tapped on them. Most taps enlarged the thumbnail, but in some cases an Event Video was able to be viewed. All affected users have been notified. Your account was not one of the accounts affected.

 

The incident was caused by a third-party caching client library that was recently integrated into our system. This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.

 

To make sure this doesn't happen again, we have added a new layer of verification before users are connected to Event Videos. We have also modified our system to bypass caching for checks on user-device relationships until we identify new client libraries that are thoroughly stress tested for extreme events like we experienced on Friday.

 

We know this is very disappointing news. It does not reflect our commitment to protect customers or mirror the other investments and actions we have taken in recent years to make security a top priority at Wyze. We built a security team, implemented multiple processes, created new dashboards, maintained a bug bounty program, and were undergoing multiple 3rd party audits and penetration testing when this event occurred.

 

We must do more and be better, and we will. We are so sorry for this incident and are dedicated to rebuilding your trust.

 

If you have questions about your account, please visit support.wyze.com.

Wyze Team

 

 

[jagdtigger]

On 2/18/2024 at 2:39 PM, darknessblade said:

This is yet another reason why you shouldn't use cloudbased devices for smarthome/home security

Id  say its an example why you should avoid cloud connected devices in general.......