Wyze security incident update

&gt; We’ve identified your Wyze account as one that was affected. This means that thumbnails from your Events were visible in another Wyze user’s account and that a thumbnail was tapped. Most taps enlarged the thumbnail, but in some cases it could have caused an Event Video to be viewed.<p>Kudos to Wyze for doing the things noted in the thread like being honest and prompt with notification etc, but &quot;thumbnails from your Events were visible... and that thumbnail was tapped&quot; is a pretty mealy-mouthed way to say &quot;another person saw your private pictures and videos taken with your Wyze cameras&quot;

In the meantime, Wyze has rolled back RTSP support, where it was possible to use their devices locally:<p><a href="https:&#x2F;&#x2F;support.wyze.com&#x2F;hc&#x2F;en-us&#x2F;articles&#x2F;360026245231-Wyze-Cam-RTSP" rel="nofollow">https:&#x2F;&#x2F;support.wyze.com&#x2F;hc&#x2F;en-us&#x2F;articles&#x2F;360026245231-Wyze...</a><p>A good response to this might be to put it back, and to extend other devices to be dual-use (Wyze Cloud or HA).

Another in a long line of reasons to avoid low price, off-the-shelf, unauditable, cloud-enabled cameras.<p>I continue to be amazed that there is not a reasonably priced, open source, audited, local-first solution, which doesn’t require a significant personal investment of time to install and maintain.

This is one of the things Apple does right. HomeKit working local is a pretty great setup and just works. I put my HomeKit cameras on a VLAN without internet and device isolation and they still work seamlessly. The hard part is getting cameras that are wireless. I use scrypted but even then, getting ONVIF or RTSP isn’t as straight forward nowadays. I also have a local frigate backup which works great too. You can pipe in the detection to scrypted with MQTT.

Not my project but I have had great success with <a href="https:&#x2F;&#x2F;github.com&#x2F;gtxaspec&#x2F;wz_mini_hacks">https:&#x2F;&#x2F;github.com&#x2F;gtxaspec&#x2F;wz_mini_hacks</a> &amp; V3 model.<p>The V3 models need to be downgraded to a specific firmware first and patching it exposes RSTP streams using <a href="https:&#x2F;&#x2F;github.com&#x2F;AlexxIT&#x2F;go2rtc">https:&#x2F;&#x2F;github.com&#x2F;AlexxIT&#x2F;go2rtc</a>. Everything doable without ever installing Wyze app on an environment air gapped environment with no internet.

This is one of the reasons why you want end-to-end encryption wherever possible.<p>Even a bad implementation with cloud-synced encryption keys (which defeats most of the benefits of e2e) would have stopped this.<p>The response in this case (notifying customers and specifically stating whether they were affected or not) is excellent, but this seems to be a repeat of a previous incident from September 2023: <a href="https:&#x2F;&#x2F;www.theverge.com&#x2F;2023&#x2F;9&#x2F;8&#x2F;23865255&#x2F;wyze-security-camera-feeds-web-view-issue" rel="nofollow">https:&#x2F;&#x2F;www.theverge.com&#x2F;2023&#x2F;9&#x2F;8&#x2F;23865255&#x2F;wyze-security-cam...</a>

“Don’t use Wyze” seems like the wrong takeaway from this.<p>I’d go with “don’t put internet-connected cameras in your house if you don’t want those images on the internet”. I’ve got a Wyze in my garage looking over my mountain bikes, and for $35 I don’t really care if somebody else sees that image. But I’d never put one in my living space, regardless of their security track record.

This actually looks like a concurrency bug in their request handling code that may have stored the user id and camera id in shared variables, under load the wrong camera id is seen by a user. At least based on the description of what they say happened.

I would have liked them going more into the details of the caching issue. It sounds like they think the cache library was responsible for the issue, but a more technical analysis of what exactly went wrong within that library would be great.

My work encountered this same sort of thing after an outage. Our Redis instance or client got confused. If a=b and c=d in our cache, a request for a returned d randomly.<p>We quickly realized that cache is fast but not infallible. Use proper security on all your resources. Don’t rely on UUIDs to obfuscate your data as security.

&gt; The incident was caused by a third-party caching client library that was recently integrated into our system. This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.<p>That seems like enough of a line of bullshit to steer me away from ever using wyze.

There&#x27;s a bunch of things in here that don&#x27;t really make sense:<p>&gt; The incident was caused by a third-party caching client library that was recently integrated into our system. This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.<p>What? How does load on the system affect correctness?<p>&gt; The outage originated from our partner AWS<p>What does this mean? Was there an AWS outage for a service they use, or was this just a normal loss of an instance?<p>It&#x27;s interesting that they blame external entities for the root causes of the incident and don&#x27;t take responsibility for what is ultimately on them.

Nobody should ever be surprised that sending video to someone else’s computer (ie “the cloud”) results in third parties viewing that video.

Wyze cameras can actually be used very securely, as long as you bother to jump through some hoops.<p>First of all, google &quot;Wyze RTSP firmware&quot;. It&#x27;s the official firmware from the vendor that enables the RTSP protocol. Now you can enable RTSP via the app and give the camera a fixed IP address in your DHCP server.<p>RTSP is a pretty standard protocol, so you can now view the feed via VNC player, record it 24&#x2F;7 via ffmpeg, use tools like motion, etc.<p>The camera will still try to connect to cloud, but you can move it to a local-only Wi-Fi network, or outright block it from reaching the outer world on the router side.<p>And if you want advanced stuff (multiple streams, organized recording, etc), there is a plethora of free&#x2F;open-source security camera tools (iSpy for instance). It all takes time to learn and configure, but you can have your own fully closed-circuit surveillance network, while still using the Wyze&#x27;s rather cheap hardware.

&gt;The outage originated from our partner AWS and took down Wyze devices for several hours early Friday morning. ... As we worked to bring cameras back online, we experienced a security issue. Some users reported seeing the wrong thumbnails and Event Videos in their Events tab. ... The incident was caused by a third-party caching client library that was recently integrated into our system. This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.<p>As an software engineer who&#x27;s dealt with caches for large high throughput services, this does not make sense to me why they are blaming a caching client. It&#x27;s your own code that will decide what is the cache key, and what value to pass as the cache key. Did the caching library have a bug where when you ask for a given key, it returned results for a different key? Or more likely did your own code have a bug where you mixed up the keys? I think we need more details on what went wrong in here.

This company non stop spams me, might just have to ditch the cam. I have grown used to throwing away hardware due to infinite fees, self bricking, or hacked out of the box. Consumer electronics have taken a painful dive in quality control. And hey Wyze unsubscribe me already !!!

Looks like they had a similar issue in 2023. <a href="https:&#x2F;&#x2F;www.nytimes.com&#x2F;wirecutter&#x2F;blog&#x2F;wyze-security-breach&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.nytimes.com&#x2F;wirecutter&#x2F;blog&#x2F;wyze-security-breach...</a>

Pretty much the same thing that hit OpenAI, I wonder if it was the same redis bug.

&gt; Wyze blamed &quot;a third-party caching client library that was recently integrated into our system&quot; for the trouble.<p>Yes, of course. Blame a third party library which was probably created by an open source maintainer instead of testing your own systems.

This is the sort of thing that makes me salty that Unifi Protect is basically cloud locked in. No direct IP connection with &quot;local&quot; account support on the mobile app.

I&#x27;m wondering about the probability that, out of all the affected customers, at least one had the research skills and social skills to identify another customer and successfully ask to meet. Like, for an essay about &quot;His schnauzer needed a mom. WyZettle: the amazing story of a pivot from a home camera service to a dating app.&quot;

A little off topic, but how is it possible that a tech startup named itself “Wyze” and didn’t get sued by Google over the “Waze” trademark? In some accents it sounds exactly the same, and they’re sort of in an adjacent product space.

I have my cameras blocked from the internet and doing backups in the attic.

3rd party libraries are a serious security problem that nobody wants to talk about, because there is no easy solution. I once lost $300k to a hack related to that issue.

Initially I thought this was about the money transfer company. Curious how there are two software companies with the same name and one hasn’t sued the other.

How the hell these incidents happen?<p>In the era of cloud and microservices why each user does not have their own dedicated resources?

Possibly a collision in the caching library. Pretty bad that the video streams aren&#x27;t properly permissioned

connected cameras have been easily hackable circa 2001 and this isnt changing any time soon especially not with node.js smartcrap

Accidentally mixed the IDs!

Why do people have cameras inside their house anyway?