Response to 3/29/22 Security Report
At Wyze, we put immense value in our users’ trust in us, and take all security concerns seriously.
We are constantly evaluating the security of our systems and taking appropriate measures to protect our customers’ privacy. We appreciated the responsible disclosure provided by Bitdefender on these vulnerabilities, and worked directly with them to patch the security issues in our supported products before the public report.
We first would like to let our users know that these vulnerabilities required some form of local network access. So, you would have had to expose your local network to either the bad actor directly or the Internet at large for these vulnerabilities to be exploitable remotely (rest assured you shouldn’t and likely don’t have a setup like this).
As Bitdefender reported in their timeline, we issued the first patch in the month following our notification, and over time we continued to mitigate the risk of these exploits with additional patches in the months that followed. We have fixed these issues and no longer consider this ongoing after the release of the final critical security updates for the last of the local vulnerabilities found in the report in February 2022. Though we kicked off development quickly, we want to respond quicker in the future and have made significant advances in our security infrastructure, including hiring a team of dedicated security engineers to work exclusively on responses to security events and strengthening protection for our users.
You might be wondering, “Why am I just hearing about this now?” Bitdefender and Wyze both take the safety of affected users seriously. Knowing that we were actively working on risk mitigation and corrective updates, we came to the conclusion together that it was safest to be prudent about the details until the vulnerabilities were fixed.
Unfortunately, despite extensive efforts stretching into 2022, we found Wyze Cam v1 (last sold in March 2018) couldn’t support the necessary security updates. The limited camera memory that prompted us to create Wyze Cam v2 directly prevented patching these issues on that product. We were transparent with our customers and disclosed our inability to continue to offer necessary security updates in an email announcing the end-of-life (EOL) for this product. For security reasons, we again chose to remain prudent about the specific reason why until now to limit the risk to all of our affected users across affected models. We strongly suggest that our customers no longer use EOL products as security and other critical updates are no longer provided, and we continue to urge Wyze Cam v1 owners to discontinue the use of these products.
Selecting technology to protect your home and your loved ones is a big decision. Our journey to make great tech accessible to everyone continues, and we are committed to providing an experience that is reliable and secure for everyone.
If anyone has questions or concerns about Wyze security, please email our security team directly through firstname.lastname@example.org.