this post was submitted on 19 Sep 2023
628 points (98.2% liked)

Technology

59135 readers
2532 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
L3s@fry.gs
L4s@fry.gs
L4s@lemmy.world
enu@lemmy.world
628
Why We’re Pulling Our Recommendation of Wyze Security Cameras (www.nytimes.com)
submitted 1 year ago by Xepher@lemm.ee to c/technology@lemmy.world
93 comments fedilink hide all child comments
 

After six years of reviewing a variety of Wyze security cameras at Wirecutter, we’ve made the decision to suspend our recommendation of them from all our guides.

On September 8, 2023, The Verge reported an incident in which some Wyze customers were able to access live video from other users’ cameras through the Wyze web portal. We reached out to Wyze for details, and a representative characterized the incident as small in scope, saying they “believe no more than 10 users were affected.” Other than a post to its user-to-user online forum, Wyze Communities, and communication to those it says were affected, the company has not reached out to Wyze customers, nor has it provided meaningful details about the incident.

We believe Wyze is acting irresponsibly to its customers. As such, we've made the difficult but unavoidable decision to revoke our recommendation of all Wyze cameras until the company implements meaningful changes to its security and privacy procedures.

The concern is not that Wyze had a security incident—just about every company or organization in the world will probably have to deal with some sort of security trip-up, as we have seen with big banks, the US military, Las Vegas casinos, schools, and even Chick-fil-a. The greater issue is how this company responds to a crisis. With this incident, and others in the past, it’s clear Wyze has failed to develop the sorts of robust procedures that adequately protect its customers the way they deserve.

We spoke about this incident to peers, colleagues, and experts in the field, such as Ari Lightman, professor of digital media and marketing at Carnegie Mellon University; Jen Caltrider, program director at Mozilla’s Privacy Not Included; and Wirecutter senior staff writer Max Eddy. All of them agree the central issue is that Wyze has not proactively reached out to all its customers, nor has it been adequately accountable for its failures. “When these sort of things happen, [the company has to be] very open and transparent with [the] community as to why they screwed up,” Lightman explained. “Then the company has to say, ‘Here’s exactly what we’re going to be doing to rectify any potential situation in the future.’”

If this were the first such incident, we might be less concerned. However, it comes on the heels of a March 2022 Bitdefender study (PDF), which showed that Wyze took nearly three years to fully address specific security vulnerabilities that affected all three models of Wyze Cams. The company did eventually alert customers of the issue, and it notably guided them to stop using the first-generation Wyze Cam because “continued use of the WyzeCam after February 1, 2022 carries increased risk, is discouraged by Wyze, and is entirely at your own risk”—but that was long after the serious vulnerability was first discovered and reported to Wyze, on multiple occasions, without getting a response.

The fundamental relationship between smart-home companies and their customers is founded on trust. No company can guarantee safety and security 100% of the time, but customers need to be confident that those who make and sell these products, especially security devices, are worthy of their trust. Wyze’s inability to meet these basic standards puts its customers and its devices at risk, and also casts doubt on the smart-home industry as a whole.

In order for us to consider recommending Wyze’s cameras again, the company needs to devise and implement more rigorous policies, as most of its competitors already have. They need to be proactive, accountable, and transparent. Here’s what we expect from Wyze in the event of a security incident:

  • Reach out to customers as soon as possible: Send an email to all customers, send push notifications in the app, put out a press release, broadcast in the Wyze Communities online forum.
  • Describe the issue in detail and state precisely who was affected (and who wasn’t).
  • Explain specifically what steps are being taken to aid affected customers and what if any actions the customer needs to take on their own.
  • Follow-up with customers to let them know the issue has been resolved.

For anyone who has Wyze cameras and intends to continue using them, we recommend restricting their use to noncritical spaces or activities, such as outdoor locations. If you are looking for an alternative, better camera options are available—even for smart-home users on a budget.

This isn’t the first time Wirecutter has pulled a smart-home device due to concerns over accountability. In 2019, in response to a data breach at Ring, we retracted our endorsement of all of the company’s cameras. We eventually returned to reviewing Ring gear, and in some cases recommended them to our readers, after the company made a series of significant improvements to its programs and policies.

We continue to recommend Wyze lighting, since we consider them lower-risk, lower-impact devices—a security breach of a light bulb, for instance, wouldn’t give someone a view of your living room. Should Wyze change course and adopt more substantial policies like those above, we will be happy to resume testing and considering them for recommendation.

top 50 comments
sorted by: hot top controversial new old
[–] evatronic@lemm.ee 82 points 1 year ago (1 children)

Remember: When dealing with any IOT device, the "S" is for "Security".

[–] chairman@feddit.nl 5 points 1 year ago

There's no S in IOT!!!!!

Wait.. oh ... 😲

[–] LuckyCharmsNSoyMilk@lemmy.dbzer0.com 76 points 1 year ago* (last edited 1 year ago) (3 children)

Finally. I tossed mine after the incident last year.

EDIT: Wait, they replaced it with a Eufy camera? After the same thing happened with them last year?

[–] Ataraxia@sh.itjust.works 3 points 1 year ago (1 children)

Mine is recording cats on our porch. We are always home and it doesn't catch any audio that matters as we are rarely in the room where that window is. I would never have cameras pointed inside the house where I need privacy. Not even if I had it all hooked up to my own server the last thing I'd want is my private moments recorded lol. Freaking weird.

load more comments (1 replies)
[–] DigitalFrank@lemmy.world 73 points 1 year ago (1 children)

The article actually names the people they talked to. So rare to see actual journalism rather than the usual lazy "we talked to experts", which is equivalent to "we just made shit up".

[–] theragu40@lemmy.world 27 points 1 year ago

I happily subscribe to the New York Times. I feel it's important to support a major source of actual quality journalism and content.

[–] Fades@lemmy.world 41 points 1 year ago (1 children)

Blows my mind how ready people are to hook up a camera that streams to some fucking company, who the fuck knows what they do with it all. I guess some HR fuck said nobody looks at your data so it must be safe!!

[–] XTornado@lemmy.ml 10 points 1 year ago (3 children)

HR?

[–] ours@lemmy.film 14 points 1 year ago

Probably meant PR.

[–] chiliedogg@lemmy.world 4 points 1 year ago

People paying the company for the privilige of handing over their privacy are a resource.

load more comments (1 replies)
[–] cabron_offsets@lemmy.world 18 points 1 year ago (2 children)

Eh. I feel like being written up in wirecutter is reason enough to avoid those products altogether.

[–] Ertebolle@kbin.social 5 points 1 year ago

Yeah, Bribercutter has really gone downhill since the NYT acquisition

[–] coach@lemmynsfw.com 4 points 1 year ago

100%. I've lost a lot of money to their "recommendations."

[–] reallynotnick@lemmy.world 17 points 1 year ago (7 children)

Are there decent camera systems that allow you to self-host everything?

[–] 0110010001100010@lemmy.world 21 points 1 year ago (3 children)

If you want to self-host you NVR then anything RTSP or ONVIF. I have a combination of Ubiquiti, Reolink, Dahua, and Amcrest cameras. They sit on their own network with no Internet access and can only talk to the NVR. That's not exactly an easy setup though unless you are fairly technical but it is a private one.

[–] Cold_Brew_Enema@lemmy.world 18 points 1 year ago (3 children)

I understood about 7 words of your comment

[–] totallynotarobot@lemmy.world 15 points 1 year ago (1 children)

If someone uses acronyms without explaining them, they're "flexing" and can be ignored.

But this person made it extra confusing by typo-ing "your NVR" as "you NVR," which makes "NVR" seem like a verb.

NVR = Network Video Recorder. A thing that records videos locally from your cameras.

load more comments (1 replies)
load more comments (2 replies)
load more comments (2 replies)
[–] Hyzerflip@lemmy.world 10 points 1 year ago (4 children)

Ubiquiti is who I chose. Everything is self hosted, no service fees, good quality equipment and no extra frees for remote maintenance. The motion and AI detections work very well and of course all the products integrate seamlessly into their UniFi network equipment…BUT it’s more a whole network approach than just cameras.

load more comments (4 replies)
[–] nobo@lemm.ee 6 points 1 year ago

I have had good luck with reolink cameras, which, so far, have with RTSP as a feature by default. They offer a program, which amazingly doesn't require an account be made.

I put custom RTSP firmware on all of my old Wyze cameras and then blocked them from WAN access.

load more comments (4 replies)
[–] fignewton@lemmy.world 11 points 1 year ago (2 children)

Could someone please recommend an alternative to Waze Cams?

[–] Reygle@lemmy.world 31 points 1 year ago (18 children)

Yeah- your own wired cameras wired to your own ON PREMISES NVR. Anything type of wifi cameras handled by a web portal are completely un-securable and it's not a question of if the company shuts them down, but when.

[–] archomrade@midwest.social 7 points 1 year ago* (last edited 1 year ago) (1 children)

Edit* - someone mentioned Amcrest as an alternative. Not as cheap as Wyze but they have a couple $70 cameras that aren't unreasonable, definitely giving them a try.

It drives me absolutely crazy that there are no cheap NVR cameras in the wyze price-range. If only I could afford a Unifi camera, i'd do it in a heartbeat, but I don't have several hundred to shell out for the camera and several hundred more for a dream machine.

If there were $30 cameras somewhere that can only be accessed through LAN or PoE connections, I'd absolutely cream my pants over it.

load more comments (1 replies)
[–] Drewelite@lemmynsfw.com 6 points 1 year ago (2 children)

Amcrest has web apps but you can skip that and set them up over local protocols and use PoE.

[–] Reygle@lemmy.world 4 points 1 year ago* (last edited 1 year ago)

I've used Surevision a number of times and like their gear too, all remotely accessible from mobile/etc but at least they're systems THAT YOU OWN and THAT YOU OPERATE. Since it's impossible to use/test everything I can't say they're any better or worse than others. I always recommend against "cloud" cameras and the people who ignore my recommendation always come back saying they regret it, usually 1-2 years later, but sometimes much sooner.

"Why is my internet speed trash after installing 15 wifi cloud cams? GEE I WONDER

Spend the money once or spend it every two years hrmmmmm

[–] archomrade@midwest.social 3 points 1 year ago* (last edited 1 year ago)

I will definitely be trying these out, thank you!

load more comments (16 replies)
[–] olympicyes@lemmy.world 4 points 1 year ago (1 children)

I’m using Unifi. They are OK.

[–] archomrade@midwest.social 7 points 1 year ago (1 children)

Unifi looks amazing, but those cameras and dream machines are so fuckin expensive

[–] Dimand@lemmy.world 7 points 1 year ago (1 children)

Purely anecdotal but in my experience unify is overpriced garbage. Had a dream machine die at 13 months and could only get an, it's out of warranty, buy a new one response. Looking at the internals it was pretty clear they were never designed with any service in mind.

They also force you into plenty of cloud bullshit. They lost my password hash for my local device because they fucked up some cloud transfer. If I didn't have an SSH key I would have been screwed.

It takes a bunch of time and tech know-how but foss has been a much better solution. Have a openwrt pi4 router, truenas server and switched my Wyze cams to openmiko firmware. Far better than anything offered by these prosumer companies.

[–] limelight79@lemm.ee 5 points 1 year ago (1 children)

I have ubiquiti access points and a router, and a Tp-link Omada router. The Unifi interface is more slick, but the Omada interface is good too. And the Omada stuff costs a lot less.

load more comments (1 replies)
[–] yoz@aussie.zone 10 points 1 year ago (4 children)

The best solution is Reolink DIY on-prem one.

load more comments (4 replies)
[–] xpinchx@lemmy.world 10 points 1 year ago (2 children)

We have a wyze camera set up in our living room, it's usually turned towards the wall but we flip it around when not home to keep an eye on our doggy.

I was home on sick leave with COVID and noticed the light turn red a couple times. I assumed it was my fiance checking on with me but I asked her and she said it wasn't her. Same thing the next day, I checked my account and it's just me and her that have access. I unplugged that shit.

[–] TurnItOff_OnAgain@lemmy.world 26 points 1 year ago (1 children)

Turning red is the generic "activity" notice. Could be being viewed, could be that it is motion detecting, or person detecting, or whatever.

[–] theredhood@lemm.ee 12 points 1 year ago (1 children)

I had the same confusion wondering why it turns red whenever I'm looking, took a while to realize it's just an event from detection.

load more comments (1 replies)
[–] Rouxibeau@lemmy.world 9 points 1 year ago

Don't use your ignorance as anexcuse to fearmonger

[–] philodendron@lemdro.id 10 points 1 year ago

I actually had this glitch or something similar. Was staying with a friend when I got an activity alert…but it was from their camera. IIRC all it gave me was a still frame of them standing in front of it. I never bothered reporting it to Wyze. I figured it was some rare glitch because I had given my friend that camera (it was now on their account and not linked to mine).

[–] SeaJ@lemm.ee 10 points 1 year ago (2 children)

They recommended them in the first place? They have always had absolutely garbage security.

[–] teruma@lemmy.world 11 points 1 year ago* (last edited 1 year ago)

They were also the easiest to use offline. I needed internet to set them up, but once they were up, as long as I didn't want to ever use the app, they didn't actually need a connection to operate.

[–] drphungky@lemmy.world 3 points 1 year ago

They used to be good. They were cheap, you could flash them with custom firmware, they were very need friendly. They just gradually got worse and worse though, starting with them wanting to keep you in their app. It's always garbage profit seeking. No one is happy being good to consumers if they can make more money not doing so.

[–] flipthetube@lemmy.world 8 points 1 year ago

Their lighting app is a steaming pile of shit as well.

[–] techtalkf@lemmy.world 8 points 1 year ago

First Eufy and now Wyze, when will people learn?

[–] chalupapocalypse@lemmy.world 8 points 1 year ago

Thanks to this thread I found out reolink is having a sale and now have a bunch of shit on the way, so thanks lol

[–] jeremy_sylvis@midwest.social 6 points 1 year ago

Hikvision has a decent line of chinesium local-only PoE cameras. I've used a few of them with Frigate and Home Assistant with great success.

load more comments
view more: next ›