Wyze
For years, strangers could look into your home through the security camera. The manufacturer knew – and said nothing
Security cameras in the apartment allow deep insights into private life in the event of abuse (symbol image)
© Sinenkiy / Getty Images
Cameras from the manufacturer Wyse also allowed unauthorized persons to sift through the recordings from apartments and offices via a gap. The manufacturer had known about the error for years.
Actually, security cameras have only one use: They should ensure that we feel safer in our home. An error at the manufacturer Wyze should now have the opposite effect. It allowed random strangers to gain deep insights into the everyday life of the users. But instead of protecting its customers, the manufacturer preferred to remain silent.
This is according to a report by Bitdefender antivirus experts. According to this, the error allowed remote access to the local storage of Wyze cameras via the Internet – and retrieve the videos stored there. It didn’t require any special hacking skills: Because no authentication was required, you could access any camera that could be found on the Internet.
Shockingly easy
According to the experts, to be affected by the error, it was enough to connect one of the cameras to the Internet and insert any SD card. The camera therefore automatically set up its own web address. Because a log file containing the access data could also be called up, the videos, images and audio recordings saved on the camera as well as all other data saved by the user on it could be called up via the web. The only limitation: you had to know the ID of the camera. This could be accessed by infected devices from the same network.
The manufacturer had known for at least three years that this was possible. In March 2019, Bitdefender security researchers discovered the error along with two other problems and informed Wyze about it. Even with the other errors, the manufacturer took a lot of time. The first problem, with which the log-in could be bypassed, was only solved after six months. The second vulnerability, which allowed the execution of malicious code, was removed again a year later. The SD card trick worked even longer: the problem was apparently only fixed in January of this year.
Wyze is unreasonable
However, that does not mean that the users of the cameras sold in Germany are already safe. Because many cameras do not install updates automatically, the gaps can still exist. The safest method for customers is therefore to search for and install an update for their own camera on the manufacturer’s website. For some models, however, there is simply no longer any available: Because an affected model has not received any updates since the end of 2020, the gap there will never be closed,
What is particularly annoying is that the error was never openly communicated. An editor of “The Verge”, who used one of the cameras himself, only received an email in February of this year that pointed out an “increased risk” if he did not import the current update. What caused this danger was not explained there. It was only pointed out that customers acted “entirely at their own risk” if they ignored it. In a statement to Bleeping Computer, Wyze did not address the delay. And only emphasized that the error had been fixed.
It’s not the first time security cameras have been accessible to strangers. A few years ago, an Aldi camera could also be controlled from the Internet – and even passed on the live image. At the Amazon subsidiary Ring, lists with access data had gotten onto the Internet. Some netizens made fun of logging into users’ homes in rows. And in individual cases to harass the residents with requests to undress through the loudspeaker. Security camera
Swell:Bitdefender, The Verge, Bleeding computer