All technology companies routinely face security concerns, working to squash bugs and ensuring any vulnerabilities are closed as soon as possible. There's a reason your phone receives a monthly security patch, and for the most part, it should be the same with all of your other devices. Whether through bug bounty programs or dedicated organizations, all tech companies rely on third parties to report security concerns. Unfortunately, a major player in the smart home ecosystem took much longer than anyone would want to patch significant flaws in its hardware.

Bitdefender published a blog post outlining some security concerns surrounding Wyze, everyone's favorite choice for budget smart home gear. Usually, this matter wouldn't be a cause for concern — an organization reports a vulnerability to the company, the manufacturer takes action to close it, and once it's safe, that first group can report its findings. In this case, Bitdefender did wait for Wyze to lock down its gadgets — it just took almost three years for the vulnerability to be entirely fixed. Since the publication's report, Wyze has released a statement. Wyze says, "We have fixed these issues and no longer consider this ongoing after the release of the final critical security updates for the last of the local vulnerabilities found in the report in February 2022."

According to Bitdefender, the group wanted to report its findings after 90 days — the standard timeframe most infosec experts wait before taking their research public. But smart home gear can be tricky, especially since it usually provides potential attackers with access to a camera and microphone right inside your home. The company contacted Wyze back in March of 2019, but when June rolled around — the end of that 90-day window — it hadn't been fixed. Wyze says, "We issued the first patch in the month following our notification, and over time we continued to mitigate the risk of these exploits with additional patches in the months that followed." As Wyze has confirmed, it didn't consider the vulnerability fully fixed until an update in February 2022.

To make matters worse, the vulnerabilities reported by Bitdefender are about as bad as you could imagine for a smart cam manufacturer. Although Wyze's cameras require an authentication process to connect, this group was able to circumvent it entirely, gaining full access to the device. That includes the ability to turn the camera on or off, disable SD card recording, and tilt and pan on supported devices.

Notably, researchers could not bypass the live feed's encryption to view ongoing activities — at least, not without further action. A stack-based buffer overflow allowed for live access when combined with the authentication bypass — basically, a worst-case scenario — while attackers could also view recordings from the SD card through an unauthorized connection on the webserver.

Wyze says, "We first would like to let our users know that these vulnerabilities required some form of local network access. So, you would have had to expose your local network to either the bad actor directly or the Internet at large for these vulnerabilities to be exploitable remotely." That doesn't explain exactly how this vulnerability would be exploited, though. Bitdefender told The Verge, "The remote (from outside the network) attacks requires an initial camera ID (it’s a completely random and non-predictable string) that can only be acquired if present on the same network as device. In other words, if someone connects to your home WiFi, they can get that token and, at a later moment, use any of the other working remote exploits to hack your device from their home or wherever else in the world they are."

In future, Wyze says it wants to act quicker to security vulnerabilities. To do so, it has hired a specific team of dedicated security engineers who, according to the company, "work exclusively on responses to security events and strengthening protection for our users."

The good news here, of course, is that Wyze has fixed these holes in its security — that's why Bitdefender has finally published its white paper. But it's certainly concerning that the group reported these vulnerabilities three years ago, only for these concerns to go unresolved. Even after issuing patches, not every Wyze user is safe — its earliest cameras are still unsafe. If you're still running a first-gen Wyze Cam — and granted, that's not most people — you should disconnect it and upgrade to a newer model as soon as possible. Support for that model ended in February, and it will not see any future updates. Wyze's response to the issue says, "We strongly suggest that our customers no longer use EOL [end of life] products as security and other critical updates are no longer provided, and we continue to urge Wyze Cam v1 owners to discontinue the use of these products."

UPDATE: 2022/04/01 06:45 EST BY JAMES PECKHAM

Wyze has released an official statement

Wyze has now published a response to the security report. It sets out the company's statement on the security issues, and you can read the response in full here.