Wyze cameras let owners see into a stranger’s home — again

Five months ago, we wrote about how your Wyze webcam might have let strangers peek into your house. Today, it happened again. Wyze cofounder David Crosby confirmed the issue in an email response sent to The Verge, saying, “We have now identified a security issue where some users were able to see thumbnails of cameras that were not their own in the Events tab.”

After an extended outage that Wyze says stemmed from problems with AWS, ten different Redditors reported that their Wyze app showed them images from a security camera that wasn’t their own — giving them glimpses of a stranger’s porch or living room. Some of the videos were from entirely different timezones.

“One of my cameras notified me of an event from inside someone else home with them in it walking around,” begins one post. “I just got a motion detection notification with a picture for someone else’s house that isn’t mine!” reads another.

“So far we’ve collected 14 reports of this happening, but we are currently identifying all affected users…We will also send notification to all Wyze users explaining what happened,” writes Crosby. He linked the issue to overload and corruption of user data after an AWS outage this morning and said that it did not connect live feeds or send videos to the wrong users, just the alert thumbnails.

“As soon as we saw these reports we took down the Events tab. We then added in an extra layer of verification for each user before they could see thumbnails. To be extra safe, we are now force logging out all users who have used the Wyze app today to reset tokens,” writes Crosby. You can read his email in its entirety below.

“I’m able to see a random camera I do not have permission for,” reads a similar post in the Wyze forums. “Notification alert for a camera I don’t own,” a second one starts. Six users commented on other peoples’ Reddit posts to say they, too, were seeing these videos.

After the outage eased around mid-day Friday, the thumbnail issues started, as the company reported at 1:07PM ET, “We are still investigating an issue with the Events Tab and will have another update shortly with further info,” without explaining the issue.

At 2:27PM ET, the company turned off the Events tab entirely: “We are temporarily disabling the Event tab in the Wyze app to investigate a possible security issue and will have it back up soon,” it wrote in a service advisory. The company still made no mention of what the issue might be.

Two years ago, I told you how Wyze swept a security vulnerability under the rug for three years, never notifying its customers that their unpatchable v1 cameras could have theoretically let hackers access video feeds over the internet or that patches were required for later cameras to prevent the same thing.

Last September, The New York Times publicly stopped recommending Wyze cameras following our reporting, noting that Wyze never reached out to its customers or “provided meaningful details about the incident.”

Dave Crosby, Wyze Chief Marketing Officer:

Update: After an AWS outage this morning, our servers got overloaded and it corrupted some user data. We have now identified a security issue where some users were able to see thumbnails of cameras that were not their own in the Events tab. Fortunately, they were not able to view live streams or watch these videos, only the thumbnails were visible.

So far we’ve collected 14 reports of this happening, but we are currently identifying all affected users. These affected users will be notified asap. We will also send notification to all Wyze users explaining what happened.

As soon as we saw these reports we took down the Events tab. We then added in an extra layer of verification for each user before they could see thumbnails. To be extra safe, we are now force logging out all users who have used the Wyze app today to reset tokens.

We will explain in more detail once we finish investigating exactly how this happened and further steps we will take to make sure it doesn’t happen again. Again, we are very sorry for the inconvenience today. Thanks to everyone who helped report incidents and helped get devices back online. Our deepest apologies to everyone affected.

Update February 16th, 2024, 8:11PM ET: Added response from Wyze co-founder Dave Crosby confirming and detailing the problem.