678
submitted 1 year ago by Xepher@lemm.ee to c/technology@lemmy.world

After six years of reviewing a variety of Wyze security cameras at Wirecutter, we’ve made the decision to suspend our recommendation of them from all our guides.

On September 8, 2023, The Verge reported an incident in which some Wyze customers were able to access live video from other users’ cameras through the Wyze web portal. We reached out to Wyze for details, and a representative characterized the incident as small in scope, saying they “believe no more than 10 users were affected.” Other than a post to its user-to-user online forum, Wyze Communities, and communication to those it says were affected, the company has not reached out to Wyze customers, nor has it provided meaningful details about the incident.

We believe Wyze is acting irresponsibly to its customers. As such, we've made the difficult but unavoidable decision to revoke our recommendation of all Wyze cameras until the company implements meaningful changes to its security and privacy procedures.

The concern is not that Wyze had a security incident—just about every company or organization in the world will probably have to deal with some sort of security trip-up, as we have seen with big banks, the US military, Las Vegas casinos, schools, and even Chick-fil-a. The greater issue is how this company responds to a crisis. With this incident, and others in the past, it’s clear Wyze has failed to develop the sorts of robust procedures that adequately protect its customers the way they deserve.

We spoke about this incident to peers, colleagues, and experts in the field, such as Ari Lightman, professor of digital media and marketing at Carnegie Mellon University; Jen Caltrider, program director at Mozilla’s Privacy Not Included; and Wirecutter senior staff writer Max Eddy. All of them agree the central issue is that Wyze has not proactively reached out to all its customers, nor has it been adequately accountable for its failures. “When these sort of things happen, [the company has to be] very open and transparent with [the] community as to why they screwed up,” Lightman explained. “Then the company has to say, ‘Here’s exactly what we’re going to be doing to rectify any potential situation in the future.’”

If this were the first such incident, we might be less concerned. However, it comes on the heels of a March 2022 Bitdefender study (PDF), which showed that Wyze took nearly three years to fully address specific security vulnerabilities that affected all three models of Wyze Cams. The company did eventually alert customers of the issue, and it notably guided them to stop using the first-generation Wyze Cam because “continued use of the WyzeCam after February 1, 2022 carries increased risk, is discouraged by Wyze, and is entirely at your own risk”—but that was long after the serious vulnerability was first discovered and reported to Wyze, on multiple occasions, without getting a response.

The fundamental relationship between smart-home companies and their customers is founded on trust. No company can guarantee safety and security 100% of the time, but customers need to be confident that those who make and sell these products, especially security devices, are worthy of their trust. Wyze’s inability to meet these basic standards puts its customers and its devices at risk, and also casts doubt on the smart-home industry as a whole.

In order for us to consider recommending Wyze’s cameras again, the company needs to devise and implement more rigorous policies, as most of its competitors already have. They need to be proactive, accountable, and transparent. Here’s what we expect from Wyze in the event of a security incident:

  • Reach out to customers as soon as possible: Send an email to all customers, send push notifications in the app, put out a press release, broadcast in the Wyze Communities online forum.
  • Describe the issue in detail and state precisely who was affected (and who wasn’t).
  • Explain specifically what steps are being taken to aid affected customers and what if any actions the customer needs to take on their own.
  • Follow-up with customers to let them know the issue has been resolved.

For anyone who has Wyze cameras and intends to continue using them, we recommend restricting their use to noncritical spaces or activities, such as outdoor locations. If you are looking for an alternative, better camera options are available—even for smart-home users on a budget.

This isn’t the first time Wirecutter has pulled a smart-home device due to concerns over accountability. In 2019, in response to a data breach at Ring, we retracted our endorsement of all of the company’s cameras. We eventually returned to reviewing Ring gear, and in some cases recommended them to our readers, after the company made a series of significant improvements to its programs and policies.

We continue to recommend Wyze lighting, since we consider them lower-risk, lower-impact devices—a security breach of a light bulb, for instance, wouldn’t give someone a view of your living room. Should Wyze change course and adopt more substantial policies like those above, we will be happy to resume testing and considering them for recommendation.

you are viewing a single comment's thread
view the rest of the comments
[-] reallynotnick@lemmy.world 20 points 1 year ago

Are there decent camera systems that allow you to self-host everything?

[-] 0110010001100010@lemmy.world 27 points 1 year ago

If you want to self-host you NVR then anything RTSP or ONVIF. I have a combination of Ubiquiti, Reolink, Dahua, and Amcrest cameras. They sit on their own network with no Internet access and can only talk to the NVR. That's not exactly an easy setup though unless you are fairly technical but it is a private one.

[-] Cold_Brew_Enema@lemmy.world 21 points 1 year ago

I understood about 7 words of your comment

[-] totallynotarobot@lemmy.world 16 points 1 year ago

If someone uses acronyms without explaining them, they're "flexing" and can be ignored.

But this person made it extra confusing by typo-ing "your NVR" as "you NVR," which makes "NVR" seem like a verb.

NVR = Network Video Recorder. A thing that records videos locally from your cameras.

[-] RaoulDook@lemmy.world -2 points 1 year ago* (last edited 1 year ago)

Nah, that's just a cope statement. I knew what all those acronyms meant already, as would anyone who deals with security cameras with any regularity. Also, using acronyms properly is a concise method of communicating useful information.

If you were actually interested in the topic instead of just trying to imagine that people are "flexing" their knowledge to cope with lack of your own, you could simply use a search engine to learn what those acronyms meant in a few seconds of time.

[-] olympicyes@lemmy.world 2 points 1 year ago

RSTP is the streaming cam protocol. It shows up as a url with rstp:// instead of https://. You can type that url into streaming video apps like VLC (video lan client) and watch your videos with no configuration. There is no security on the feed so you have to secure your network instead.

[-] corsicanguppy@lemmy.ca 1 points 5 months ago

To translate, a decent set-up involves a self-hosted controller and recorder unit, to which cameras speaking an open protocol connect. RTSP- or ONVIF-style cameras are often chosen for compatibility with a standard central unit (Network Video Recorder, or NVR).

Brands like ReoLink, Dahua, Armcrest, and (to a lesser extent) Ubiquiti, will easily connect to that self-hosted NVR; although, if some of those camera brands are sketchy then you may need to confirm they're isolated from the world and test that assumption regularly.

[-] gamer@lemm.ee 3 points 1 year ago

Any specific reason for the mixed brands? I went 100% Unifi in my home (cameras and networking equipment) and it's amazing. Everything just works, and the apps are great. While I haven't bothered to go through the effort of setting up a VPN so that the NVR is disconnected from the internet, I know it's doable.

[-] 0110010001100010@lemmy.world 2 points 1 year ago

Not really. I have a third-party NVR that can take any standards-based camera. I like the Dahua camera over the garage since it handles direct headlights VERY well. The Ubiquiti ones were a holdover from when I ran all their stuff I just haven't replaced them. The Reolink was a cheap option to watch the corner of the basement where the water and sewer lines are. And the Amcrest is a cheap PTZ to watch other parts of the basement as needed.

The benefit of a third-party NVR is you can mix and match cameras at will for whatever is best in that specific circumstance without vendor lock-in. Yeah it's more complicated for sure but I like the flexibility.

I use Wireguard on my phone for remote access when needed and it works great.

[-] Hyzerflip@lemmy.world 13 points 1 year ago

Ubiquiti is who I chose. Everything is self hosted, no service fees, good quality equipment and no extra frees for remote maintenance. The motion and AI detections work very well and of course all the products integrate seamlessly into their UniFi network equipment…BUT it’s more a whole network approach than just cameras.

[-] AtHeartEngineer@lemmy.world 2 points 1 year ago

They are pricey compared to wyzecam though, but probably worth it at this rate

[-] Hyzerflip@lemmy.world 3 points 1 year ago

Not cheap, but not overly expensive. You are getting what you pay for without the privacy nightmare.

[-] reallynotnick@lemmy.world 2 points 1 year ago

That does look pretty slick! Definitely something I will have to look into more.

[-] corsicanguppy@lemmy.ca 1 points 5 months ago

My posh friend has an ubi setup. And then she bought a camera to see under the ice in her Koi pond.

Ubi refused to connect it.

I stayed back, as she's technically proficient and I want to mess with cameras like I want to mess with printers - make my own work, but that's it - but it really seemed like Ubi doesn't work with anything else, and that's by choice a la apple.

[-] nobo@lemm.ee 8 points 1 year ago

I have had good luck with reolink cameras, which, so far, have with RTSP as a feature by default. They offer a program, which amazingly doesn't require an account be made.

I put custom RTSP firmware on all of my old Wyze cameras and then blocked them from WAN access.

[-] gaylord_fartmaster@lemmy.world 2 points 1 year ago

Foscam is relatively cheap and I like the few PTZ cameras I have. I use RTSP and block their access to the internet. For the timestamp to stay synced I redirect the Foscam DNS requests to an NTP docker container.

[-] Buelldozer@lemmy.today 1 points 1 year ago

Do foscams work well with Frigate? The next step in my Smart Home evolution is Cameras and I'd like to use Frigate because it integrates well with Home Assistant (and I already have the Google Coral Module).

[-] gaylord_fartmaster@lemmy.world 1 points 1 year ago* (last edited 1 year ago)

I messed around with Frigate once but never spent any time with it since TPUs are impossible to find these days and I didn't have a use otherwise. I know I at least got to the point where I was viewing the stream in Frigate, but I can't vouch for anything past that point.

edit: I ended up looking and it looks like they are available again, I hadn't checked in a while. Maybe I'll give it a whirl again.

[-] jmanes@lemmy.world 2 points 1 year ago

You can use Ecobee’s cameras with HomeKit secure video. Just block the cameras from being able to talk to the internet via firewall first.

this post was submitted on 19 Sep 2023
678 points (97.9% liked)

Technology

59205 readers
3013 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS