Want to know why Wyze Cam Baby Monitors are unsafe and why we no longer recommend them? Read on.
Until recently, we had been endorsing Wyze Cam brands, starting from the original model (now discontinued) to the current V3 version as baby monitors. However, due to safety concerns that we have been closely monitoring, we are now retracting those recommendations.
Although Wzye cameras can be used as baby monitors, they do have their limitations. One such limitation is the presence of a red IR light that may disturb the baby’s sleep. Additionally, the auto-off feature prevents audio transmission when the phone screen is closed.
These limitations did not lead us to withdraw our recommendations, as many security camera brands are now being used as baby monitors. However, what truly concerned us was Wyze’s acknowledgment that their cameras had a security vulnerability, which resulted in private video recordings from some users’ cameras being exposed to individuals on the internet.
Imagine this: Picture a scenario where someone else gets a glimpse of your video feed, heaven forbid catching you or your family in an amusingly awkward position without your knowledge. Not acceptable at all!
Jay Peters of the Verge first reported in September 2023 that some users had disclosed that Wyze’s web portal had given them brief access to view other video footage that didn’t belong to them. Wyze was able to take the portal offline for some time. See the Verge story here.
These security issues are unfortunately common, and the response from Wyze only serves to highlight their insufficient commitment to data security.
Other reputable organizations, such as the NY Times’ Wirecutter and USA Today, also withdrew their recommendation of Wyze security cameras to their readers after the September expose. We are not alone in this decision.
You can also explore vulnerable baby monitor apps recently exposed. I just checked in January 2024 and these apps are still on Google Store and App Store.
Why Wyze Baby Monitor security vulnerabilities are a big deal:
- Privacy concerns: As mentioned earlier, the thought of someone else spying on your family through your security camera is unsettling and unacceptable. A baby monitor should be a source of peace and reassurance, not a potential threat to your privacy.
- Safety risks: With access to your video feed, an intruder could potentially gain insight into your home’s layout and security measures. This information can be used to plan a break-in or other malicious activities.
- Legal implications: If your video feed is exposed, it could potentially capture sensitive information that should remain private, such as conversations or personal habits. This could lead to legal issues if the footage is shared without consent.
- Baby safety: If the camera is vulnerable to hacking or other security breaches, it puts your child’s safety at risk. Perverts can control the camera, talk to the baby, hurl insults or even attempt to kidnap the child. This is a terrifying thought for any parent.
- Cybersecurity threats: A weak security system can also make your entire network vulnerable to cyber attacks, putting all of your devices and personal information at risk.
Let’s look at Wyze history with weak security protocols, their response and why we ultimately decided to not recommend Wyze for baby monitoring:
Wyze’s Response to Security Issues was not Satisfactory:
After the September expose, Wyze though its spokesperson named Crosby released a statement apologizing for the security lapse that exposed its customers.
Below is a direct quote from him;
This was a web caching issue and is now resolved. For about 30 minutes this afternoon, a small number of users who used a web browser to log in to their camera on view.wyze.com may have seen cameras of other users who also may have logged in through view.wyze.com during that time frame. The issue DID NOT affect the Wyze app or users that did not log in to view.wyze.com during that time period.
Once we identified the issue we shut down view.wyze.com for about an hour to investigate and fix the issue.
This experience does not reflect our commitment to users or the investments we’ve made over the last few years to enhance security. We are continuing to investigate this issue and will make efforts to ensure it doesn’t happen again. We’re also working to identify affected users.
To provide you with a full account of Wyze’s lack of proper data safety measures, let me begin with a case that occurred two years ago in 2022:
For 3 years, Wyze knew of security vulnerabilities in the first Wyze model(V1) and did nothing to fix them. This was after Bitdefender, a cyber security research firm identified three key main security vulnerabilities in the V1 model.
According to Bitdefender, it is theoretically possible for someone to gain access to the SD card of your Wyze V1 camera, steal the encryption key, and begin watching and downloading your baby footage videos.
Bitdefender discovered this security loophole back in 2019. According to The Verge, Bitdefender contacted Wyze in March 2019 but received no response until November 2020, a staggering delay of one year and eight months! Doesn’t sound like a company rushing to prioritize user safety, does it?
Check out Page 3 of this PDF Report which shows the timelines of the notifications to Wyze regarding the safety issues in Wyze V1 and V2.
Back to 20 months of no action or communication from Wyze.
This was 13 times longer than the 45-day default disclose deadline that the US Government has implemented aimed at preventing vendors from burying bug reports without addressing them.
In January 2022, Wyze announced the discontinuation of the vulnerable WyzeCam v1. They explicitly stated that they would no longer address security concerns or provide updates for the V1 model. In an email, Wyze emphasized that using the WyzeCam after February 1, 2022 would pose a greater risk, discouraged its use, and placed the responsibility solely on the user.
From March 2019 to January 2022, this were approximately 34 months between vulnerability discovery and some communication from Wyze about this grave security risk. As a security company, they should know better. Communication is one way to mitigate risk.
Fast-forward to 2023 and Wyze cameras were also reported to have ‘accidentally’ exposed the live feeds of its users. This is because their Wyze database was left unprotected and accessible online.
Watch the Crosbys below explain the controversy with Wyze.
You can also check out our guide where I answer the question; is Wi-Fi baby monitor safe?
Wyze Cam Vulnerabilities Identified by Bitdefender:
Remote connection authentication bypass:
Bitdefender identified a bug in the client remote login process that enabled hackers to bypass authentication without the need for the “enr” value. This value is responsible for decrypting the information and transmitting the outcome through an IOCtl command with the ID 0x2712.
The hackers were able to gain complete control over the device, including motion control (pan/tilt), disabling SD recording, and toggling the camera on/off, among other capabilities. It went further to even enable remote code execution(RCE).
RCE from stack buffer overflow:
A vulnerability that allowed hackers to access the camera without checking the destination buffer size or checking the return value resulted in code execution with the highest privileges (root). The attack vector is through a malicious firmware update and it works by overflowing a stack buffer.
Unauthenticated access to the contents of the SD card
The third vulnerability of the Wyze Cam arises when an SD card is inserted into the camera. The contents of the SD card, including recordings, can be accessed without authentication through the webserver on port 80. This vulnerability stems from the automatic creation of a symlink to the card mount directory in the www directory, which is served by the webserver. The card’s contents can be viewed using the hello.cgi functionality at /cgi-bin/hello.cgi, and the files can then be downloaded through the /SDPath/ path.
Basis for mistrusting Wyze to Fix 2023 Security Issues:
- Slow response: With the 2019 vulnerability only communicated with no credible fix almost three years later, we are not confident that the September 2023 vulnerability will be resolved promptly.
- Breach of trust: The 2019 security incident involving Wyze Cam’s data breach has severely damaged the company’s reputation and raised concerns about their ability to protect customer data.
- Lack of transparency: Wyze has been criticized for not being transparent enough with their customers, especially regarding security issues. This raises doubts about whether they will fully disclose and address the 2023 security issues.
- Prioritizing new features over security: With Wyze’s focus on releasing new products and features, there is a concern that they may not prioritize addressing security vulnerabilities in their existing products.
- Lack of resources: As a relatively small company, Wyze may not have the resources to quickly and effectively address security issues, which can leave their customers vulnerable to potential cyber-attacks.
- History of security flaws: The 2019 vulnerability is not the only security issue that Wyze has faced. In 2020, they had another incident where some user data was exposed due to a misconfigured database. This track record does not inspire confidence in their ability to secure their products.
- Lack of updates for older devices: As time goes by, older versions of Wyze Cam may no longer receive updates and security patches, leaving them vulnerable to any new security threats.
- Adversarial relationships with security researchers: In the past, Wyze has had conflicts with security researchers who reported vulnerabilities in their products. This can discourage researchers from reporting potential issues in the future, further hindering the company’s ability to address security flaws.
Wyze Cam v3 Security Vulnerabilities:
Security researcher Peter Geissler recently uncovered two vulnerabilities in the latest firmware of Wyze Cam v3. These flaws, when combined, can enable remote code execution on vulnerable devices.
The first flaw involves an authentication bypass issue in the ‘iCamera’ daemon, which utilizes DTLS (Datagram Transport Layer Security). This vulnerability allows attackers to bypass security measures by using arbitrary Pre-Shared Keys (PSKs) during the TLS handshake.
The second flaw occurs after the establishment of the DTLS authenticated session when the client sends a JSON object. Exploiting a weakness in the iCamera code that handles this object, attackers can trigger a stack buffer overflow. This overflow results in unintended data being written into parts of the memory.
Exploiting the second vulnerability, attackers can overwrite the stack memory. Since the iCamera code lacks security features like stack canaries and position-independent execution, they can execute their own code on the camera. Read Peter’s report here.
Below is a video summary with the vulnerabilities of Wyze Cams;
What this guide tells you about baby safety with cameras:
While baby monitors can be a helpful tool for parents to keep an eye on their little ones, it is important to ensure that the device itself does not pose any security risks. The recent security vulnerabilities discovered in Wyze Cam v3 serve as a reminder of the potential dangers associated with using internet-connected devices as baby monitors.
As mentioned earlier, the two vulnerabilities found in Wyze Cam v3 could potentially enable remote code execution, meaning that attackers can gain control of the device and access sensitive information. This includes the ability to view live video footage and audio from the camera, as well as accessing other connected devices on the network.
With this in mind, it is important for you to thoroughly research and carefully choose a baby monitor that prioritizes security features. This includes features such as end-to-end encryption and regular software updates to patch any potential vulnerabilities.
Aside from choosing a secure device, there are other steps that parents can take to ensure the safety of their baby while using a camera as a monitor. I have highlighted those safety steps here.
If you want to pick a secure monitor, read this guide on how to pick a safe baby monitor.
You can also check out our reviews of secure Wi-Fi monitors.
- About the Author
- Latest Posts
- More info
Sandra W. Bullock is a highly skilled expert in baby safety, specializing in both indoor and outdoor safety. With her previous experience in retail support, she has successfully assisted numerous parents in installing essential safety equipment such as baby gates, cabinet locks, and outlet covers. Additionally, Sandra has collaborated with various child care facilities, providing valuable safety consultations and comprehensive training to caregivers.