Wyze needs to come clean about the Wyze Cam’s security flaws

When Wyze announced in late January that it would discontinue the original Wyze Cam only days later, it couched the move as a celebration, going so far as to say that the camera “will always hold a special place in our hearts.” 

But even as Wyze promised that “you can still use your Wyze Cam v1” following its impending February 1 end-of-life date, the company added ominously–and only in a footnote–that “your continued use of the Wyze Cam v1 after February 1, 2022 carries increased risk, is discouraged by Wyze and is entirely at your own risk.”

At the time, something sounded a little, well, off about Wyze’s sudden announcement. Now, it appears we know why. 

Earlier this week, cybersecurity firm Bitdefender revealed (as first reported by BleepingComputer) that it had previously–as in three years ago–discovered a trio of serious Wyze Cam vulnerabilities, one of which would have allowed attackers to access the data on the camera’s SD card, including recorded video footage. 

Bitdefender says it initially warned Wyze about the flaws in March 2019. The first two bugs were patched in September 2019 and November 2020, but the SD card flaw remained unpatched until January 29, 2022, and only the Wyze Cam v2 and v3 got the fix, leaving the original Wyze Cam vulnerable to the security hole.

When announcing that it was “retiring” the Wyze Cam v1, Wyze said it was because the camera “can no longer support a necessary security update.” Looking back, it sure sounds like the update Wyze was referring to was the SD card vulnerability patch that the Wyze Cam v2 and v3 received.

I have yet to hear back from Wyze about the Bitdefender report, but in a statement to BleepingComputer, a Wyze rep said:

At Wyze, we put immense value in our users’ trust in us, and take all security concerns seriously.

We are constantly evaluating the security of our systems and take appropriate measures to protect our customers’ privacy. We appreciated the responsible disclosure provided by Bitdefender on these vulnerabilities. We worked with Bitdefender and patched the security issues in our supported products. These updates are already deployed in our latest app and firmware updates.

That’s all well and good, but it doesn’t answer the question of why Wyze didn’t simply explain the SD card vulnerability in the original, unpatched Wyze Cam and explicitly warn users of the risks.

A wise woman in the technology sector once told me, “We don’t sell toothpaste; we sell trust.” Well, Wyze is now facing a serious credibility gap, and it needs to come clean. An apology is probably in order, too.