The American manufacturer of devices for the “smart home” Wyze for three years knew about the vulnerability in its surveillance cameras WyzeCam v1, with which hackers could monitor other people’s homes over the Internet, and did not warn its customers. Moreover, the information security company that discovered the problem allowed him to do it.
Wyze not only did not warn its customers about the potential danger, but also did not issue a fix, did not recall vulnerable devices, but simply stopped their release in January of this year without explanation. However, this week, the specialists of the Bitdefender information security company finally shed light on why Wyze stopped selling WyzeCam v1. As it turned out, the attackers could access the cameras’ SD cards via the Internet, steal encryption keys, view and download the entire video stream.
The only thing that the manufacturer has informed its customers is that “the use of WyzeCam after February 1, 2022 poses a security threat, Wyze does not recommend doing this and does not assume responsibility for the use of cameras after this period.”
Bitdefender specialists who discovered the vulnerability contacted the manufacturer in March 2019, but received a response only in November 2020, a year and eight months later. Why the company decided to report the problem to the general public only now is unclear, because this practice is not typical for the cybersecurity community. Responsible disclosure of vulnerabilities does involve some delay so that the manufacturer has time to fix them, but usually it is 1-3 months, not three years.
“What we found was so serious that we decided to step back from our vulnerability disclosure policy after 90 days, since publishing a report without Wyze’s knowledge and in the absence of fixes would potentially endanger millions of users with unknown consequences,” Bitdefender representatives told The Verge.