Not a Good Look

Full disclosure–a phrase that’s highly relevant to today’s post–here: I have a Wyze camera. We use it for monitoring cats. At various times, it’s been the RufusCam, the LeftyCam, and the MeezerCam. Currently, it’s pointed at the Backyard Bowl, so we can see who shows up to indulge in gooshy fud and catnip.

So, given the background, you can easily understand why I’m rather perturbed by the recent reports of a significant security flaw in Wyze’s equipment.

Brief pause to remedy a potential knowledge gap: Wyze started out making amazingly cheap wi-fi cameras. Where most companies were selling cameras for $100 and up, one could buy a Wyze camera with most of the same features for $20. Obviously, they quickly became popular with people who wanted to keep tabs on pets, property, and progeny.

Wyze has since branched out into related products (video doorbells, door locks, camera accessories, for example)–and some not-so-related products like vacuum cleaners and headphones. Their focus has remained the same, though: most of the same features, but at a fraction of the cost.

A company selling security products should take great care to make sure their products are, you know, secure. Right? Maybe not. The latest reports suggest that Wyze not only knew about a bug for years before they fixed it, but Bitdefender, the security company that found the issue, kept quiet about it as well.

This isn’t the first time Wyze has been involved in security issues. As recently as 2018, there were reports that their cameras were sending information–metadata, if not actual video–to servers in China. Wyze eventually confirmed the reports, but blamed a third-party that was part of their backend infrastructure. In 2019, they accidentally removed security features from an internal customer database, leading to information on 2.4 million customers being exposed to the Internet.

To me, this latest failure is the worst. Not because of the severity of the bug. As I understand it, it’s not an over-the-Internet vulnerability; any attacker would need to be close enough to get onto the same wi-fi network as the target camera. My concern is that Wyze sat on the bug for three years before fixing it; even after it was fixed, they didn’t give their customers any information about the bug or how they might have been affected; and, arguably worst, they somehow persuaded Bitdefender* not to release any warning to the world about the bug until after they had finally fixed it.

* Highly annoying: Bitdefender’s much-delayed press release even suggests people should use Bitdefender’s products to identify vulnerable devices on their home networks.

More full disclosure: I recently started using Bitdefender’s “Total Security” software and like it. Ironically, the thing I like most about it is that it gives more information about threats it’s blocking than the anti-malware package I used to use.

As a society, we don’t require companies to reveal security breaches in a timely fashion, or to accept meaningful accountability–“Oopsie, my bad. So sorry we let hackers get your personal information,” is not accepting responsibility, right [insert the name of darn near every company in the world]?

But companies that specialize in security need to be held to a higher standard. They need to keep their clients in the loop when things go bad. And they have to make up for their errors. Not necessarily fines, though in some cases that might be the right thing, but something that makes them share the pain they’ve inflicted on their customers.

I’m not quite ready to toss out my Wyze camera–though I doubt I’ll be buying any more of them–and I’m not uninstalling Total Security either. Yet.

Nor am I urging anyone else to dump Wyze or Bitdefender. But I am considering it, and you should too.