Wyze admits 13,000 users could have viewed strangers’ camera feeds – Source: go.theregister.com

Smart home security camera slinger Wyze is telling customers that a cybersecurity “incident” allowed thousands of users to see other people’s camera feeds.

Thanks to a helpful Reg reader who sent a customer email over to us, we know that around 13,000 Wyze users had the opportunity to view events captured by other users’ cameras.

Wyze said of these 13,000, only 1,504 users actually looked at the feeds of others, willfully or not. This represented around 0.25 percent of all users.

The company explained that a Friday outage, which it attributed to “our partner AWS, took down Wyze devices for several hours early Friday morning.” Wyze said it then experienced a “security issue” when cameras came back online. 

During the course of normal operation, Wyze cameras capture “Events” – clips of notable activity caught throughout the day which are stored in the Events section of the Wyze app for users to review at their leisure.

As cameras came back online, the circa 13,000 affected users were able to view Events from other users’ cameras in their own app. Wyze said it immediately revoked users’ access to the Events tab upon realizing the error.

“The incident was caused by a third-party caching client library that was recently integrated into our system,” the email read. 

“This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts.”

The company introduced a number of measures to prevent the incident from recurring, including adding a new verification layer before users attempt to view Event videos.

It’s also searching for new client libraries which, once chosen will be “thoroughly stress-tested for extreme events.” Wyze’s system will also bypass caching for checks on user-device relationships until those new client libraries are selected.

“We know this is very disappointing news,” the email went to say. “It does not reflect our commitment to protect customers or mirror the other investments and actions we have taken in recent years to make security a top priority at Wyze. We built a security team, implemented multiple processes, created new dashboards, maintained a bug bounty program, and were undergoing multiple third-party audits and penetration testing when this event occurred.

“We must do more and be better, and we will. We are so sorry for this incident and are dedicated to rebuilding your trust.

Online discussions held by Wyze customers have been mostly negative toward the company. 

• Amazon Ring, Alexa accused of every nightmare IoT security fail you can imagine
• Ubiquiti blunder let some folks view others’ security cameras, accounts
• Network died, hard, during company Christmas party, leaving lone techie to fix it
• Eufy security cams ‘ignore cloud opt-out, store unique IDs’ of anyone who walks by

One user, claiming to be a 23-year-old woman, received an email saying her camera was one of the minority that was accessed. She described the experience as one that left her feeling violated, and that she would no longer be using her cameras.

“I’m so disgusted and upset,” she wrote. “I’ve already deleted my account, but I’m feeling so violated.”

Other incensed users have suggested poisoning reviews on iOS and Android app stores, as well as the various Amazon shopping review sections. ®