I just threw my Wyze home security cameras in the trash. I’m done with this company. I’m finished with the company..
Security firm Wyze has been fully aware of a vulnerability in its home security cameras. The vulnerability could have let hackers look into your home over the Internet. But the firm that found the vulnerability largely let them do it.
Security research firm Bitdefender Discontinues the wyzecam v1 this January without a full explanation. Wyze stopped selling the v1 because someone could access your camera’s SD card from over the Internet, steal the encryption key, and start watching and downloading its video feed.
The wyzecam was brought to attention in March 2019. The company only fixed the camera for newer versions of the camera.
‘your continued use of the wyzecam after February 1, 2022 carries increased risk, is discouraged by Wyze, and is entirely at your own risk’.
The wyzecam v1’s discontinuation has been described as’an increased risk’. The v1 was discontinued, but it’s not a major vulnerability that already exists.
Bitdefender did n’t disclose this for three years, when it could have forced Wyze’s hand.
The security research firm reached out to Wyze in March 2019 and did n’t even get a response until November 2020. Yet Bitdefender chose to keep quiet until just yesterday.
The majority of researchers have policies where if they make a good faith effort to reach a vendor and do n’t get a response, that they publicly disclose in 30 days.
Katie Moussouris, founder and CEO of luta security, co-author of the international ISO standards for vulnerability disclosure and vulnerability handling processes. Moussouris:’even the US government has a 45-day default disclosure deadline to prevent vendors from burying bug reports and never fixing them’.
Pr director Steve Fiore had an explanation, but it does n’t sit well with me. He asked Bitdefender about this, and he did n’t ask Bitdefender about it.
Our findings were so serious, our decision was that publishing this report without Wyze’s acknowledgement and mitigation was going to expose potentially millions of customers with unknown implications. Wyze actually implemented one last year as a result of our findings.
The impact of making the findings public, coupled with our lack of information on the capability of the vendor to address the fallout, dictated our waiting wait. We have delayed publishing reports for longer periods for the same reason before.
We understand that this is not necessarily a common practice with other researchers. But disclosing the findings before having the vendor provide patches would have put a lot people at risk.
Moussouris and Stamos brought up the infamous meltdown computer meltdown. Both of the experts spoke to, both of Moussouris, Stamos and Stamos.
Bitdefender put out a press release two years ago that Wyze had a flaw it’s not fixing.’there’s an easy mitigation strategy for affected customers,’ says Bitdefender.
Bitdefender and PCMag revealed that the ibaby monitor company had n’t patched its security hole. The resulting bad publicity pushed them to fix it just three days later.