Wyze confirmed in an email to its users that it had suffered a cybersecurity “incident” that allowed many of its connected camera users to see into other people’s camera feeds, potentially potentially spy on others.
This isn’t the first time Wyze, a Seattle-based company that offers smart home products like cameras and doorbells, has encountered a cybersecurity issue like this. In September 2023, Wyze camera users reported seeing camera feeds that were not theirs. According to Wyze, this issue was the result of a web caching issue.
Now this problem is occurring once again, but on a seemingly larger scale. About 13,000 users received thumbnails from cameras that weren’t theirs, and 1,504 of those users enlarged the image. There have also been cases where the thumbnail was attached to a video and the video was displayed.
The user’s point of view
At least 10 people on Reddit reported seeing images on the Wyze app that did not belong to their family. To one person, the image represented a stranger’s porch. Secondly, it was someone else’s living room. Some saw footage from a completely different time zone.
“One of my cameras alerted me to an event that occurred inside someone else’s house walking around. Absolutely no security with Wyze,” read a comment from a Redditor four days ago.
Similar reports have occurred on the Wyze forum.
“I understand there are some issues happening at the moment, however I just received a notification for a camera shake alert for a camera I don’t own,” one user said. “This seems like a serious security flaw and now I’m worried that some notifications from my camera are being sent to other Wyze users.”
According to David Crosby, Wyze co-founder and chief marketing officer, users were seeing these thumbnails of cameras that weren’t theirs in the Events tab of the Wyze app. Once reports of the privacy issue started coming in, the Events tab was removed. Now a new additional layer of verification has been added, Crosby noted, and all users must log out of the Wyze app and reset their tokens if they were active.
“As I mentioned in my other posts, our engineering team has added a new layer of verification between users and event videos to prevent this from happening again,” “WyzeDave” said in a post on the Wyze forum page. “We have also removed the client library and will not use caching until we find a new client library and stress test it for extreme scenarios like we saw on Friday.”
The culprit: a power outage…or is it?
After an Amazon Web Services (AWS) outage occurred in the early hours of the morning, Wyze servers were overloaded which resulted in corruption of some user data and subsequent security issue, according to an email from Crosby obtained by the media. However, AWS did not report an outage during the time the Wyze cameras faced these issues.
“I want to thank everyone who helped us with reports and logs to correctly identify the issue and affected users,” Crosby wrote in the forum post. “This was an incredibly stressful weekend for everyone and we are grateful for your help, and we are so sorry that this happened.”
An investigation is still ongoing, and while Wyze was apparently much more transparent during this cyber incident than the previous one, it’s unclear how this will affect user trust or how the company will prevent something like this from happening again.