The new security breach to hit Wyze and its cameras is just the latest in a long—and we do mean long—line of privacy screw ups which have plagued the home security market since the category arrived on the scene. The breach, where 13,000 users received thumbnail images from stranger’s cameras, has been a clear disaster for a company which has garnered something of a tarnished reputation because of its attitude to its customers in the past.
The breach was heralded by a large service outage for the smart home brand that severed the connection between Wyze’s app and its cameras on February 16, leaving users to flood the internet with complaints that their cameras weren’t working. Issues ranged from cameras going offline, to being unable to connect their camera to the internet, to one user even claiming that they could view a video feed that wasn’t theirs. Wyze blamed the issue on Amazon Web Services (AWS), citing a problem with “device connection [that] caused login difficulties”. It was on February 21 that the true extent of the breach was discovered—namely that 13,000 users had images of their homes displayed on other users' apps.
The earliest security alarm systems were probably squawking geese in 300 BC, but it wasn’t until sophisticated file compression, Wi-Fi and more powerful microprocessors opened the floodgates in 1997 that the whole home security industry really took flight. The market is now predicted to be worth $84 billion by 2027, a credible number since we’re now at some 180 million security cameras, video door bells and other assorted tools installed in homes across the globe.
But this huge adoption curve has brought with it a slew of problems from the industry failing to adequately protect the privacy of its customers.
Way back in 2012, a hacking blog called Console Cowboys exposed a method by which anyone could hack into a $70 camera from a company called Trendnet, and watch people in their houses day or night. The exploit was available because of unpatched firmware, which unsuspecting users didn’t know they had to update.
Links to thousands of private home camera feeds were posted online, and the uproar reverberated around the forums and message boards of the Internet at the time. The company got lucky, and received just a slap on the wrist from the FTC, presumably because the breach was only counted in the thousands.
This was just the first in a long line of abuses. By 2018 over 21 million cameras were in use, and one of the big players, Swann, reached the front page of the BBC website with a breach story of its own. The OzVision software they used let strangers access remote Swann cameras at will. Another camera brand, Flir, also suffered the same software problem.
In 2019 stolen passwords were used to terrorize a California couple by broadcasting a fake emergency missile attack warning through their Nest camera. Nest owner Google reset all Nest accounts to solve the problem. A mere year later another tech giant, Amazon, found itself on the wrong end of a class action lawsuit filed by more than 30 families who suffered a breach of their Ring doorbell camera systems. Hackers screamed obscenities, demanded money and threatened the home owners, again using the camera’s speaker system. As with many of these stories, however, the cases seemed to quietly disappear after the initial media attention, either through settlement or abandonment.
To return to Wyze, it is no stranger to security breaches. In 2019, the company was warned about three vulnerabilities with its home security camera systems. The problems were not fixed in a timely manner, and probably remain an issue in discontinued products. In this case, the impact was not too widespread, but what set the alarms ringing was the fact that Wyze seemed to do the bare minimum to help their users at the time...Which is a strange thing for a security company to do. Some commentators felt the company should be trying harder.
This 2019 misstep was followed by a similar issue in 2022, when cybersecurity researchers discovered that a permanent vulnerability in the same model of Wyze cameras could allow cybercriminals to hack into users’ cameras, watch recorded content and even compromise the camera’s security further. The vulnerability, if exploited, could allow hackers to take full control of the device, including disabling microSD recording, turning the camera on and off and even changing the direction it was facing in, functionally allowing cybercriminals to spy on victims even if they could not access the camera’s live video feed. The vulnerabilities were reportedly patched in 2019 and 2020, yet the camera could still be accessed via its SD card, leaving users in a “permanent window of vulnerability”, as stated by the researchers.
These unaddressed vulnerabilities led to Wirecutter magazine taking the unprecedented step of removing Wyze cameras from all their recommendation guides in September of 2023, citing the fact that “Wyze has failed to develop the sorts of robust procedures that adequately protect its customers”. Just five months later here we are, with the company facing yet another problem breach.
Once again the company initially downplayed the issue, claiming that only 14 users were affected, until being forced to admit that it was in fact over 13,000. While the company has now apologized, it has left a sour taste in many user’s mouths as they seek explanations for the data leaks.
It’s clear that this history of security lapses is unlikely to stop anytime soon. In the meantime the industry continues to advise users to use strong passwords and keep their firmware and software updated. Finally users should also remember that they also have a duty to respect the privacy of those neighbors who may be subject to their surveillance footage. The UK’s surveillance commissioner has issued a guide to the use of domestic CCTV, and how users should be careful about capturing and storing footage. Doing it the wrong way can leave you open to a fine, especially if you breach the European GDPR regulations. It’s worth a read.
These security breaches that exposed people in the presumed safety and vulnerability of their own homes serves as a reminder that cyber security is not something to be overlooked. While we may be aware of the danger physical criminals to our homes, cybercriminals remain a threat. This is why it’s important to consider running your home security camera through an encrypted network through a VPN router or by using a VPN. By doing so, you will enhance the privacy and security of your internet connection in your household, by protecting your connection and masking your credentials.
