Wyze Security Incident: Cameras Crossed, Trust Broken

If you own a Wyze camera, you need to read this. A serious security breach exposed some users’ video feeds to others. We’ll explain what went wrong, if you’re affected, and the steps you should take to protect your privacy.

Imagine watching your home security videos and seeing footage from a complete stranger’s house. That’s what happened to some Wyze camera users following a recent security incident. In a major privacy breach, a system glitch mixed up camera feeds, exposing videos to the wrong people.

Here’s a breakdown of the Wyze security incident, along with implications and key points:

On Friday, February 16, 2024:

What Happened

1. AWS Outage: An outage experienced by Wyze’s cloud partner, AWS, led to Wyze devices going offline for several hours.
2. System Restore Error: As Wyze worked to bring the cameras back online, an error occurred in a third-party caching library. This mixed up camera IDs and user IDs, linking some data to wrong accounts.
3. Unauthorized Access: Around 13,000 Wyze users received thumbnails (preview images) from other users’ cameras. Of those, 1,504 users clicked on those thumbnails, in some cases gaining access to short event videos from other users’ accounts.

Wyze’s Response

• Disabled Events Tab: Wyze immediately disabled the Events tab (which stores thumbnails and videos) while investigating.
• Identified Affected Users: Wyze notified the 1,504 users whose videos might have been seen by others.
• Technical Fix: Implemented a new verification layer to prevent user-device connection errors and modified the system to avoid certain caching approaches in the future.
• Acknowledgement: Wyze acknowledges this as a disappointing event that breaches customer trust despite numerous prior security improvements.

Key Takeaways

• Complexity Causes Bugs: Even companies focused on security aren’t immune to errors, especially during large-scale system changes.
• The Human Factor: The email reveals frustration as this breach follows past security issues at Wyze.
• Third-Party Risk: Errors by partners and integrated software introduce risks you can’t always directly control.
• Transparency Matters: While this isn’t the first Wyze security issue, a detailed explanation is better than trying to downplay the seriousness.

What Wyze Users Can Do

• Affected Users: If you were among the 1,504 mentioned, consider changing your Wyze password and carefully look for unexpected charges or activity.
• All Users: It highlights the risks of IoT devices. Regularly review your privacy settings and use strong, unique passwords across all smart home devices.