Home Security

It's Time to Treat Your Home Security Cameras as Compromised

Commentary: Wyze has taught us a valuable lesson.

The Wyze Cam v1 had vulnerabilities that were never patched and that Wyze didn't disclose to customers until three years after it was notified of them.
Chris Monroe/CNET

At the end of March, BitDefender, a leading cybersecurity research firm, published a damning report about Wyze (PDF), one of the leading security brands on the market. The charge: That the manufacturer was notified of a vulnerability that allowed, among other things, unauthorized access to stored footage in its wildly popular Wyze Cam v1 -- a market-shaking device that sold over a million units -- and that Wyze failed to patch the flaw or alert users to it for nearly three years.

Wyze -- and, frankly, BitDefender, which notified Wyze of the problem in 2019 -- are both deserving of criticism for failing to disclose such a vulnerability for so long. A representative at BitDefender told me it opted not to publish the flaw before Wyze responded to the notification "to avoid releasing a zero-day that could impact millions."

Once Wyze responded, BitDefender held publication while the company worked on a fix. Wyze provided similar reasoning for withholding the information from customers in its blog post on the BitDefender report. Yet for nonessential devices like $20 smart cams, the right of the customer to know their exposure supersedes the impulse to minimize damage from the vulnerability -- simply stopping usage of the device is an easy choice for many customers, after all. In short, BitDefender should've publicly disclosed the problem years ago.

But this controversy isn't the first of its kind, and it won't be the last. Major security brands, from industry stalwarts like ADT to tech upstarts like Google-owned Nest and Amazon-owned Ring, have landed in hot water recently when private feeds and footage have proven less private than advertised.

In our rapidly evolving, technified world, we need to change how we think about home security cameras. Like we had to learn years ago with social media, what we presume to be private can only too easily become public. With so many examples on hand, it's time we treated all home security cameras as compromised, if only to maintain our privacy when some inevitably are.

What Wyze wrought

Wyze Labs upended the home security market in 2017, when it announced a smart cam that cost only $20. The rest of the industry quickly followed Wyze's example, with other ultra-affordable brands, like Blink, cropping up (and in Blink's case, being acquired by Amazon). By 2020, as CNET's Megan Wollerton wrote at the time, the era of the $200 home security camera was over.

BitDefender notified Wyze of three security vulnerabilities in 2019, one of which would allow hackers to gain access to video files stored on the SD card. Wyze began patching the problems on its other cameras immediately, and seemed to imply in a recent blog post that said patching was in direct response to the report. However, Wyze didn't officially acknowledge receipt of the report until late 2020 -- more than a year and a half after BitDefender sent it.

Wyze continued to work with BitDefender into 2022, but found it could not patch the Wyze Cam v1 because of the device's limited memory. As a result, the company initiated end-of-life procedures for the camera, alerting users via email to its inability to provide a necessary security update to the device. Wyze didn't brick the camera altogether, but the company advised customers to stop using it and announced it would no longer receive updates.

It's worth pointing out that the Wyze Cam's vulnerabilities aren't the worst they could be. They don't give access to credentials, for instance, which would allow hackers to compile directories of user information to be sold or used in web-crawling enterprises -- searching for banking or other high-value accounts for which Wyze customers reused their passwords.

What's more, hackers would have to gain access to your home network before being able to access the SD card in your Wyze Cam via this vulnerability. This likely means very few Wyze customers were hacked, as it would require a highly targeted approach.

But the vulnerability is still serious. Plenty of people share networks with roommates, suite-partners and even neighbors. Even if such a practice isn't advisable, it's common enough. And that means anyone on the network could view video files that should've been better protected.

The biggest issue is broader, though: Both Wyze and BitDefender agreed on an unusually slow timeline to disclose the vulnerability -- and ultimately, it shouldn't be their decision to make about what customers can safely know. Wyze might want to conceal such information for business purposes, but BitDefender should've made it public -- or at the very least, given Wyze a stricter timeline within which to patch or disclose the vulnerability itself.

wyze-vs-blink-wireless-doorbells-2

Since its original $20 camera launched, Wyze has released dozens of devices, including cameras and video doorbells -- and even lights and bathroom scales.

Chris Monroe/CNET

The bigger picture

Camera hacks happen for a few reasons, chief among them that internet-connected cameras are often fairly unsecure. Web crawlers are designed to search online for smart cams with common passwords (or none at all) and post their feeds publicly -- and the results are sometimes frightening.

Even if cameras aren't hacked, they can be compromised in other ways. In 2020, ADT disclosed that hundreds of customers in Texas had been the victims of a digital peeping Tom; in this case, an ADT technician who had simply left his own email on each of the accounts so he could freely access the feeds of cameras he'd installed. ADT fired the technician, and authorities arrested him in 2020.

Amazon's security brand Ring has also faced wide-ranging criticism for its police partnerships, which, among other things, have facilitated the sharing of footage from video doorbells of constitutionally protected activity, such as protests, with local authorities. (Ring has since stopped sharing footage directly with police, instead allowing authorities to request footage directly from users via the Neighbors app.)

Each of these cases is admittedly unique, and they often led to policy changes for the companies. But each case also reminds us that internet-connected cameras alter the calculus of both public and private life. Cameras challenge our presumptions of privacy. Even the password-protected, dual-factor-authenticated home security camera can be compromised -- and unless you're a network security expert yourself, you're trusting the developer to have good security practices and to be transparent about discovered vulnerabilities, which Wyze has demonstrated isn't a given.

The takeaway? Sure, get rid of Wyze cams if you don't trust them. That's a completely fair response.

But also, don't use internet-connected security cameras inside your home in general -- or at least not in places you wouldn't want to make public. The standard we take for social media -- that anything we post ought to be thought of as public -- should be extended at this point to home security cameras: Wherever we point them, whatever they capture, could eventually be set loose where it shouldn't be.

Update, April 6: Adds that ADT fired its peeping Tom technician, and clarifies that Ring has stopped sharing footage directly with police.